Automated Malware Analysis Management Report for OMICS_Online_1.one

Overview

General Information

Sample Name:	OMICS_Online_1.one
Analysis ID:	828485
MD5:	238f7e8cd973a386b61348ab2629a912
SHA1:	f87f164125c9506a16ca21cb03104f6a04321592
SHA256:	1c3a7f886a544fc56e91b7232402a1d86282165e2699b7bf36e2b1781cb2adc2
Tags:	one
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Malicious OneNote

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Run temp file via regsvr32

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Stores files to the Windows start menu directory

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Creates a start menu entry (Start Menu\Programs\Startup)

Registers a DLL

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: OMICS_Online_1.one	ReversingLabs: Detection: 38%
Source: OMICS_Online_1.one	Virustotal: Detection: 16%			Perma Link

Antivirus detection for URL or domain

Source: https://91.207.28.33:8080/jhiryhxgp/kxgycfcaqegfa/5	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/jhiryhxgp/kxgycfcaqegfa/	Avira URL Cloud: Label: malware
Source: https://213.239.212.5/jhiryhxgp/kxgycfcaqegfa/fa/t	Avira URL Cloud: Label: malware
Source: https://119.59.103.152:8080/jhiryhxgp/kxgycfcaqegfa/	Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/jhiryhxgp/kxgycfcaqegfa/	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dlli	Avira URL Cloud: Label: malware
Source: https://103.43.75.120/jhiryhxgp/kxgycfcaqegfa/	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/am	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/$N	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/798	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/vM	Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/	Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/	Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/tM	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/	Avira URL Cloud: Label: malware
Source: https://82.223.21.224:8080/jhiryhxgp/kxgycfcaqegfa/	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM	Avira URL Cloud: Label: malware
Source: https://206.189.28.199:8080/jhiryhxgp/kxgycfcaqegfa/	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/RJ	Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/7	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/	Avira URL Cloud: Label: malware
Source: https://103.43.75.120/jhiryhxgp/kxgycfcaqegfa/fa/f	Avira URL Cloud: Label: malware
Source: https://119.59.103.152:8080/	Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/?	Avira URL Cloud: Label: malware
Source: https://1.234.2.232:8080/jhiryhxgp/kxgycfcaqegfa/	Avira URL Cloud: Label: malware
Source: https://103.43.75.120/	Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/yM	Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/jhiryhxgp/kxgycfcaqegfa/lS	Avira URL Cloud: Label: malware
Source: https://149.56.131.28:8080/jhiryhxgp/kxgycfcaqegfa/	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/jhiryhxgp/kxgycfcaqegfa/	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/jhiryhxgp/kxgycfcaqegfa/lN	Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/xM	Avira URL Cloud: Label: malware
Source: https://72.15.201.15:8080/jhiryhxgp/kxgycfcaqegfa/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6H	Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/	Avira URL Cloud: Label: malware
Source: https://103.43.75.120:443/jhiryhxgp/kxgycfcaqegfa/	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/jhiryhxgp/kxgycfcaqegfa/Z	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\rad98E2D.tmp.dll	ReversingLabs: Detection: 58%
Source: C:\Windows\System32\SfTfmTSAbIwWdRVZ\mmatLGgYnezL.dll (copy)	ReversingLabs: Detection: 58%

Source: 0000000D.00000002.829371998.0000000000D28000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5U16acAAdAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2v16OcAAZAJA="]}

Source: unknown	HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.3:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49703 version: TLS 1.2

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180008D28 FindFirstFileExW,

12_2_0000000180008D28

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Process created: C:\Windows\SysWOW64\wscript.exe

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.65.88.10 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 164.90.222.65 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 213.239.212.5 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 186.194.240.217 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 104.168.155.143 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 119.59.103.152 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.89.202.34 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 160.16.142.56 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.121.146.47 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.207.28.33 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 103.43.75.120 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 45.235.8.30 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 72.15.201.15 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 163.44.196.120 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 206.189.28.199 8080	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 203.26.41.131 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 107.170.39.149 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 187.63.160.88 80	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 66.228.32.31 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 82.223.21.224 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 149.56.131.28 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 169.57.156.166 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 1.234.2.232 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 167.172.199.165 8080	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.3:49703 -> 182.162.143.56:443
Source: Traffic	Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49700 -> 91.121.146.47:8080
Source: Traffic	Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.3:49702 -> 66.228.32.31:7080
Source: Traffic	Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.3:49705 -> 167.172.199.165:8080
Source: Traffic	Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.3:49710 -> 104.168.155.143:8080
Source: Traffic	Snort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.3:49726 -> 206.189.28.199:8080
Source: Traffic	Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.3:49734 -> 213.239.212.5:443
Source: Traffic	Snort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.3:49738 -> 45.235.8.30:8080
Source: Traffic	Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.3:49739 -> 119.59.103.152:8080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 91.121.146.47:8080
Source: Malware configuration extractor	IPs: 66.228.32.31:7080
Source: Malware configuration extractor	IPs: 182.162.143.56:443
Source: Malware configuration extractor	IPs: 187.63.160.88:80
Source: Malware configuration extractor	IPs: 167.172.199.165:8080
Source: Malware configuration extractor	IPs: 164.90.222.65:443
Source: Malware configuration extractor	IPs: 104.168.155.143:8080
Source: Malware configuration extractor	IPs: 163.44.196.120:8080
Source: Malware configuration extractor	IPs: 160.16.142.56:8080
Source: Malware configuration extractor	IPs: 159.89.202.34:443
Source: Malware configuration extractor	IPs: 159.65.88.10:8080
Source: Malware configuration extractor	IPs: 186.194.240.217:443
Source: Malware configuration extractor	IPs: 149.56.131.28:8080
Source: Malware configuration extractor	IPs: 72.15.201.15:8080
Source: Malware configuration extractor	IPs: 1.234.2.232:8080
Source: Malware configuration extractor	IPs: 82.223.21.224:8080
Source: Malware configuration extractor	IPs: 206.189.28.199:8080
Source: Malware configuration extractor	IPs: 169.57.156.166:8080
Source: Malware configuration extractor	IPs: 107.170.39.149:8080
Source: Malware configuration extractor	IPs: 103.43.75.120:443
Source: Malware configuration extractor	IPs: 91.207.28.33:8080
Source: Malware configuration extractor	IPs: 213.239.212.5:443
Source: Malware configuration extractor	IPs: 45.235.8.30:8080
Source: Malware configuration extractor	IPs: 119.59.103.152:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 95.217.221.146:8080
Source: Malware configuration extractor	IPs: 153.126.146.25:7080
Source: Malware configuration extractor	IPs: 197.242.150.244:8080
Source: Malware configuration extractor	IPs: 202.129.205.3:8080
Source: Malware configuration extractor	IPs: 103.132.242.26:8080
Source: Malware configuration extractor	IPs: 139.59.126.41:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 183.111.227.137:8080
Source: Malware configuration extractor	IPs: 5.135.159.50:443
Source: Malware configuration extractor	IPs: 201.94.166.162:443
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 79.137.35.198:8080
Source: Malware configuration extractor	IPs: 172.105.226.75:8080
Source: Malware configuration extractor	IPs: 94.23.45.86:4143
Source: Malware configuration extractor	IPs: 115.68.227.76:8080
Source: Malware configuration extractor	IPs: 153.92.5.27:8080
Source: Malware configuration extractor	IPs: 167.172.253.162:8080
Source: Malware configuration extractor	IPs: 188.44.20.25:443
Source: Malware configuration extractor	IPs: 147.139.166.154:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 185.4.135.165:8080
Source: Malware configuration extractor	IPs: 45.176.232.124:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: POST /jhiryhxgp/kxgycfcaqegfa/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 110.232.117.186 110.232.117.186

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.3:49700 -> 91.121.146.47:8080
Source: global traffic	TCP traffic: 192.168.2.3:49702 -> 66.228.32.31:7080
Source: global traffic	TCP traffic: 192.168.2.3:49705 -> 167.172.199.165:8080
Source: global traffic	TCP traffic: 192.168.2.3:49710 -> 104.168.155.143:8080
Source: global traffic	TCP traffic: 192.168.2.3:49711 -> 163.44.196.120:8080
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 160.16.142.56:8080
Source: global traffic	TCP traffic: 192.168.2.3:49717 -> 159.65.88.10:8080
Source: global traffic	TCP traffic: 192.168.2.3:49722 -> 149.56.131.28:8080
Source: global traffic	TCP traffic: 192.168.2.3:49723 -> 72.15.201.15:8080
Source: global traffic	TCP traffic: 192.168.2.3:49724 -> 1.234.2.232:8080
Source: global traffic	TCP traffic: 192.168.2.3:49725 -> 82.223.21.224:8080
Source: global traffic	TCP traffic: 192.168.2.3:49726 -> 206.189.28.199:8080
Source: global traffic	TCP traffic: 192.168.2.3:49727 -> 169.57.156.166:8080
Source: global traffic	TCP traffic: 192.168.2.3:49728 -> 107.170.39.149:8080
Source: global traffic	TCP traffic: 192.168.2.3:49733 -> 91.207.28.33:8080
Source: global traffic	TCP traffic: 192.168.2.3:49738 -> 45.235.8.30:8080
Source: global traffic	TCP traffic: 192.168.2.3:49739 -> 119.59.103.152:8080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 17

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165

Source: wscript.exe, 0000000A.00000002.355343827.0000000005F1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351172369.0000000005F1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353077144.0000000005F1C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.829371998.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.418840821.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 0000000D.00000003.413431427.0000000002E24000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.413937408.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 0000000D.00000003.418840821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.829371998.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.418840821.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.13.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000D.00000003.419039741.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.829371998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab(
Source: regsvr32.exe, 0000000D.00000003.418840821.0000000000E04000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.829371998.0000000000E04000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.413464726.0000000000E1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?25d031a652ab4
Source: wscript.exe, wscript.exe, 0000000A.00000003.348753046.0000000005DF7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350978145.0000000005B2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340831402.0000000005AA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347768220.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348179950.0000000005D37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350269475.0000000005D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341363850.0000000005AF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341316300.0000000005AFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342250004.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335230812.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335230812.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338361754.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348373935.0000000005D8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347768220.0000000005C5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334706320.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350515217.0000000005EAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347919526.0000000005D29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343691393.0000000005B84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352843978.0000000005D76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336614509.00000000059BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici/9/
Source: wscript.exe, 0000000A.00000003.351427235.0000000005684000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici/9/xM
Source: wscript.exe, 0000000A.00000003.335620877.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352736179.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337612568.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cWIYxWMPkK
Source: wscript.exe, wscript.exe, 0000000A.00000003.348753046.0000000005DF7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350978145.0000000005B2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340831402.0000000005AA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347768220.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348179950.0000000005D37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350269475.0000000005D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341363850.0000000005AF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341316300.0000000005AFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342250004.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335230812.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335230812.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338361754.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348373935.0000000005D8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347768220.0000000005C5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334706320.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350515217.0000000005EAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347919526.0000000005D29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343691393.0000000005B84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352843978.0000000005D76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336614509.00000000059BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
Source: wscript.exe, 0000000A.00000003.351427235.0000000005684000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
Source: wscript.exe, wscript.exe, 0000000A.00000003.348753046.0000000005DF7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350978145.0000000005B2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340831402.0000000005AA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347768220.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348179950.0000000005D37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350269475.0000000005D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341363850.0000000005AF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341316300.0000000005AFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342250004.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335230812.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335230812.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338361754.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348373935.0000000005D8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347768220.0000000005C5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334706320.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350515217.0000000005EAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347919526.0000000005D29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343691393.0000000005B84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352843978.0000000005D76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336614509.00000000059BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
Source: wscript.exe, 0000000A.00000003.350515217.0000000005EAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351034904.0000000005EC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350578583.0000000005EBA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.355161456.0000000005ECB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350476503.0000000005EA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/RJ
Source: wscript.exe, 0000000A.00000003.351427235.0000000005684000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
Source: regsvr32.exe, 0000000D.00000002.831696209.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://1.234.2.232:8080/jhiryhxgp/kxgycfcaqegfa/
Source: regsvr32.exe, 0000000D.00000002.831876513.0000000002FB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://10.235.8.30:8080/
Source: regsvr32.exe, 0000000D.00000002.831876513.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.43.75.120/
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000E04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.43.75.120/jhiryhxgp/kxgycfcaqegfa/
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000E04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.43.75.120/jhiryhxgp/kxgycfcaqegfa/fa/f
Source: regsvr32.exe, 0000000D.00000002.831696209.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.43.75.120:443/jhiryhxgp/kxgycfcaqegfa/
Source: regsvr32.exe, 0000000D.00000002.831696209.0000000002E38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.44.196.120:8080/
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000E04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://119.59.103.152:8080/
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.831696209.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://119.59.103.152:8080/jhiryhxgp/kxgycfcaqegfa/
Source: regsvr32.exe, 0000000D.00000002.831696209.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://149.56.131.28:8080/jhiryhxgp/kxgycfcaqegfa/
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.142.56:8080/
Source: regsvr32.exe, 0000000D.00000002.831696209.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://206.189.28.199:8080/jhiryhxgp/kxgycfcaqegfa/
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000E04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://213.239.212.5/jhiryhxgp/kxgycfcaqegfa/fa/t
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.235.8.30:8080/
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.235.8.30:8080/7
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.235.8.30:8080/?
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000E04000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.829371998.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.235.8.30:8080/jhiryhxgp/kxgycfcaqegfa/
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000E04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.235.8.30:8080/jhiryhxgp/kxgycfcaqegfa/lS
Source: regsvr32.exe, 0000000D.00000002.831876513.0000000002FB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://459.59.103.152:8080/
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000E04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://72.15.201.15:8080/jhiryhxgp/kxgycfcaqegfa/
Source: regsvr32.exe, 0000000D.00000002.831696209.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://82.223.21.224:8080/jhiryhxgp/kxgycfcaqegfa/
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/$N
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/jhiryhxgp/kxgycfcaqegfa/
Source: regsvr32.exe, 0000000D.00000003.418840821.0000000000DA1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.829371998.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/jhiryhxgp/kxgycfcaqegfa/Z
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/jhiryhxgp/kxgycfcaqegfa/lN
Source: regsvr32.exe, 0000000D.00000002.829371998.0000000000E04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.207.28.33:8080/jhiryhxgp/kxgycfcaqegfa/5
Source: wscript.exe, 0000000A.00000003.348753046.0000000005DF7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349152202.0000000005E00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349845444.0000000005E51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348523417.0000000005DF7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349372624.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349551261.0000000005E41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350131095.0000000005E5B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.355075856.0000000005E63000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349251383.0000000005E0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6H
Source: wscript.exe, wscript.exe, 0000000A.00000003.348753046.0000000005DF7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350978145.0000000005B2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340831402.0000000005AA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347768220.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348179950.0000000005D37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350269475.0000000005D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341363850.0000000005AF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341316300.0000000005AFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342250004.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335230812.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335230812.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338361754.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348373935.0000000005D8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347768220.0000000005C5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334706320.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350515217.0000000005EAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347919526.0000000005D29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343691393.0000000005B84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352843978.0000000005D76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336614509.00000000059BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
Source: wscript.exe, 0000000A.00000003.348753046.0000000005DF7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349152202.0000000005E00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350169852.0000000005E6F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349845444.0000000005E51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348523417.0000000005DF7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350313117.0000000005E76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350446103.0000000005E8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349372624.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349551261.0000000005E41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350378483.0000000005E82000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349251383.0000000005E0B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350068964.0000000005E65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll
Source: wscript.exe, 0000000A.00000003.350703760.0000000005E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dlli
Source: wscript.exe, 0000000A.00000003.351427235.0000000005684000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
Source: wscript.exe, 0000000A.00000002.355343827.0000000005F1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351172369.0000000005F1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353077144.0000000005F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/
Source: wscript.exe, 0000000A.00000003.350978145.0000000005B2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340831402.0000000005AA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347768220.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351609879.000000000565D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348179950.0000000005D37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350269475.0000000005D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341363850.0000000005AF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341316300.0000000005AFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342250004.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335230812.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335230812.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338361754.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348373935.0000000005D8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347768220.0000000005C5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334706320.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350515217.0000000005EAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347919526.0000000005D29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343691393.0000000005B84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352843978.0000000005D76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336614509.00000000059BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353575116.0000000005DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
Source: wscript.exe, 0000000A.00000003.350515217.0000000005EAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351034904.0000000005EC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350578583.0000000005EBA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.355161456.0000000005ECB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350476503.0000000005EA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/am
Source: wscript.exe, 0000000A.00000003.351427235.0000000005684000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
Source: wscript.exe, 0000000A.00000003.353397957.0000000005F04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351362338.0000000005F04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.355271644.0000000005F04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/in
Source: wscript.exe, wscript.exe, 0000000A.00000003.348753046.0000000005DF7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350978145.0000000005B2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340831402.0000000005AA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347768220.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348179950.0000000005D37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350269475.0000000005D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341363850.0000000005AF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341316300.0000000005AFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342250004.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335230812.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335230812.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338361754.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348373935.0000000005D8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347768220.0000000005C5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334706320.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350515217.0000000005EAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347919526.0000000005D29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343691393.0000000005B84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352843978.0000000005D76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336614509.00000000059BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
Source: wscript.exe, 0000000A.00000003.348753046.0000000005DF7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349152202.0000000005E00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349845444.0000000005E51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348523417.0000000005DF7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349372624.0000000005E14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349551261.0000000005E41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349251383.0000000005E0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/798
Source: wscript.exe, 0000000A.00000003.351427235.0000000005684000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
Source: wscript.exe, wscript.exe, 0000000A.00000003.348753046.0000000005DF7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350978145.0000000005B2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340831402.0000000005AA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347768220.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348179950.0000000005D37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350269475.0000000005D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341363850.0000000005AF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341316300.0000000005AFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342250004.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335230812.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335230812.00000000035B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338361754.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348373935.0000000005D8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347768220.0000000005C5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334706320.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350515217.0000000005EAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.347919526.0000000005D29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343691393.0000000005B84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352843978.0000000005D76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336614509.00000000059BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/
Source: wscript.exe, 0000000A.00000003.350515217.0000000005EAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351034904.0000000005EC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350578583.0000000005EBA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.355161456.0000000005ECB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350476503.0000000005EA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/les;C:
Source: wscript.exe, 0000000A.00000003.351427235.0000000005684000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM

Source: unknown

HTTP traffic detected: POST /jhiryhxgp/kxgycfcaqegfa/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56

Source: unknown

DNS traffic detected: queries for: penshorn.org

Source: global traffic

HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org

Source: unknown	HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.3:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49703 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 0000000D.00000002.829371998.0000000000D28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 13.2.regsvr32.exe.ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.ce0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.d00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.331944852.0000000000D00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.830903189.0000000000E21000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.332682576.0000000000D31000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.829181595.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara signature match

Source: 0000000A.00000003.349816910.0000000005E26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.350703760.0000000005E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06

Creates files inside the system directory

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\SfTfmTSAbIwWdRVZ\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180006818	12_2_0000000180006818
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_000000018000B878	12_2_000000018000B878
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180007110	12_2_0000000180007110
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180008D28	12_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180014555	12_2_0000000180014555
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00CF0000	12_2_00CF0000
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4709C	12_2_00D4709C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3CC14	12_2_00D3CC14
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4A000	12_2_00D4A000
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D37D6C	12_2_00D37D6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3263C	12_2_00D3263C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D38BC8	12_2_00D38BC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D48FC8	12_2_00D48FC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D43CD4	12_2_00D43CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D314D4	12_2_00D314D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D318DC	12_2_00D318DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D45CC4	12_2_00D45CC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3F8C4	12_2_00D3F8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D408CC	12_2_00D408CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D380CC	12_2_00D380CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D33CF4	12_2_00D33CF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D390F8	12_2_00D390F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D348FC	12_2_00D348FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D420E0	12_2_00D420E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3AC94	12_2_00D3AC94
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4CC84	12_2_00D4CC84
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D45880	12_2_00D45880
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D34C84	12_2_00D34C84
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4A8B0	12_2_00D4A8B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D594BC	12_2_00D594BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3DCB8	12_2_00D3DCB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D398AC	12_2_00D398AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D55450	12_2_00D55450
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4C058	12_2_00D4C058
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D37840	12_2_00D37840
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4C44C	12_2_00D4C44C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D46C70	12_2_00D46C70
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3D474	12_2_00D3D474
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D32C78	12_2_00D32C78
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3C078	12_2_00D3C078
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3B07C	12_2_00D3B07C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4B460	12_2_00D4B460
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D5181C	12_2_00D5181C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D31000	12_2_00D31000
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D39408	12_2_00D39408
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D37C08	12_2_00D37C08
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D41030	12_2_00D41030
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4EC30	12_2_00D4EC30
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3B83C	12_2_00D3B83C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D415C8	12_2_00D415C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4D5F0	12_2_00D4D5F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D395BC	12_2_00D395BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4BDA0	12_2_00D4BDA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D59910	12_2_00D59910
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D47518	12_2_00D47518
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D58500	12_2_00D58500
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4610C	12_2_00D4610C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D37530	12_2_00D37530
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4B130	12_2_00D4B130
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D36138	12_2_00D36138
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D41924	12_2_00D41924
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D44D20	12_2_00D44D20
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4AD28	12_2_00D4AD28
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D496D4	12_2_00D496D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4EAC0	12_2_00D4EAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3D6CC	12_2_00D3D6CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D392F0	12_2_00D392F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3BE90	12_2_00D3BE90
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D44A90	12_2_00D44A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D54E8C	12_2_00D54E8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D38A8C	12_2_00D38A8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4A6BC	12_2_00D4A6BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3AAB8	12_2_00D3AAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D34EB8	12_2_00D34EB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D33ABC	12_2_00D33ABC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3B258	12_2_00D3B258
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3F65C	12_2_00D3F65C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4A244	12_2_00D4A244
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D40A70	12_2_00D40A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D33274	12_2_00D33274
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3A660	12_2_00D3A660
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D34214	12_2_00D34214
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3461C	12_2_00D3461C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D45A00	12_2_00D45A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D58A00	12_2_00D58A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4020C	12_2_00D4020C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D48E08	12_2_00D48E08
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D33E0C	12_2_00D33E0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D48A2C	12_2_00D48A2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D40E2C	12_2_00D40E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4662C	12_2_00D4662C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3BA2C	12_2_00D3BA2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D43FD0	12_2_00D43FD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D32FD4	12_2_00D32FD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D333D4	12_2_00D333D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D497CC	12_2_00D497CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3A7F0	12_2_00D3A7F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D527EC	12_2_00D527EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D31B94	12_2_00D31B94
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D45384	12_2_00D45384
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D38FB0	12_2_00D38FB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3FFB8	12_2_00D3FFB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D48BB8	12_2_00D48BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3DBA0	12_2_00D3DBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4E750	12_2_00D4E750
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D34758	12_2_00D34758
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3975C	12_2_00D3975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4D770	12_2_00D4D770
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4CF70	12_2_00D4CF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D38378	12_2_00D38378
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3F77C	12_2_00D3F77C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D43B14	12_2_00D43B14
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4E310	12_2_00D4E310
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3EF14	12_2_00D3EF14
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D44F18	12_2_00D44F18
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3D33C	12_2_00D3D33C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD0000	13_2_00CD0000
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E308CC	13_2_00E308CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3A000	13_2_00E3A000
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2640A	13_2_00E2640A
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2CC14	13_2_00E2CC14
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E27D6C	13_2_00E27D6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E26E42	13_2_00E26E42
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E40618	13_2_00E40618
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E263F4	13_2_00E263F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E28BC8	13_2_00E28BC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E38FC8	13_2_00E38FC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E33FD0	13_2_00E33FD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E473A4	13_2_00E473A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E29B79	13_2_00E29B79
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E320E0	13_2_00E320E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E23CF4	13_2_00E23CF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E290F8	13_2_00E290F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E248FC	13_2_00E248FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2F8C4	13_2_00E2F8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E35CC4	13_2_00E35CC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E280CC	13_2_00E280CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E41CD4	13_2_00E41CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E214D4	13_2_00E214D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E33CD4	13_2_00E33CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E218DC	13_2_00E218DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E444A8	13_2_00E444A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E298AC	13_2_00E298AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3A8B0	13_2_00E3A8B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E494BC	13_2_00E494BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2DCB8	13_2_00E2DCB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E35880	13_2_00E35880
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E24C84	13_2_00E24C84
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3CC84	13_2_00E3CC84
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E4488C	13_2_00E4488C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E41494	13_2_00E41494
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2AC94	13_2_00E2AC94
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3709C	13_2_00E3709C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3B460	13_2_00E3B460
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E45868	13_2_00E45868
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E36C70	13_2_00E36C70
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2D474	13_2_00E2D474
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E22C78	13_2_00E22C78
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2C078	13_2_00E2C078
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2B07C	13_2_00E2B07C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E27840	13_2_00E27840
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3C44C	13_2_00E3C44C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E45450	13_2_00E45450
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3C058	13_2_00E3C058
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E31030	13_2_00E31030
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3EC30	13_2_00E3EC30
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2B83C	13_2_00E2B83C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E21000	13_2_00E21000
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E29408	13_2_00E29408
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E27C08	13_2_00E27C08
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E27410	13_2_00E27410
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E4181C	13_2_00E4181C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3D5F0	13_2_00E3D5F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E315C8	13_2_00E315C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3BDA0	13_2_00E3BDA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E295BC	13_2_00E295BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E44D64	13_2_00E44D64
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E34D20	13_2_00E34D20
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E31924	13_2_00E31924
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3AD28	13_2_00E3AD28
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3B130	13_2_00E3B130
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E26138	13_2_00E26138
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E48500	13_2_00E48500
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E42100	13_2_00E42100
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3610C	13_2_00E3610C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E49910	13_2_00E49910
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E37518	13_2_00E37518
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E292F0	13_2_00E292F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E436FC	13_2_00E436FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3EAC0	13_2_00E3EAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2D6CC	13_2_00E2D6CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E396D4	13_2_00E396D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E42AB0	13_2_00E42AB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2AAB8	13_2_00E2AAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E24EB8	13_2_00E24EB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E37EBE	13_2_00E37EBE
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E23ABC	13_2_00E23ABC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3A6BC	13_2_00E3A6BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E42E84	13_2_00E42E84
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E44E8C	13_2_00E44E8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E28A8C	13_2_00E28A8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2BE90	13_2_00E2BE90
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E34A90	13_2_00E34A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2A660	13_2_00E2A660
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E30A70	13_2_00E30A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E23274	13_2_00E23274
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3A244	13_2_00E3A244
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E46E48	13_2_00E46E48
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2B258	13_2_00E2B258
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2F65C	13_2_00E2F65C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2BA2C	13_2_00E2BA2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E38A2C	13_2_00E38A2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E30E2C	13_2_00E30E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3662C	13_2_00E3662C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2263C	13_2_00E2263C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E35A00	13_2_00E35A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E48A00	13_2_00E48A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E38E08	13_2_00E38E08
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E23E0C	13_2_00E23E0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3020C	13_2_00E3020C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E24214	13_2_00E24214
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2461C	13_2_00E2461C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E427EC	13_2_00E427EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2A7F0	13_2_00E2A7F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3FFFC	13_2_00E3FFFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E397CC	13_2_00E397CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E22FD4	13_2_00E22FD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E233D4	13_2_00E233D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2DBA0	13_2_00E2DBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E447A8	13_2_00E447A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E28FB0	13_2_00E28FB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2FFB8	13_2_00E2FFB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E38BB8	13_2_00E38BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E35384	13_2_00E35384
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E21B94	13_2_00E21B94
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3779A	13_2_00E3779A
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E48B68	13_2_00E48B68
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3D770	13_2_00E3D770
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3CF70	13_2_00E3CF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E28378	13_2_00E28378
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2F77C	13_2_00E2F77C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3E750	13_2_00E3E750
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E24758	13_2_00E24758
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2975C	13_2_00E2975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2D33C	13_2_00E2D33C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3E310	13_2_00E3E310
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E48310	13_2_00E48310
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E2EF14	13_2_00E2EF14
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E33B14	13_2_00E33B14
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E45B1C	13_2_00E45B1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E34F18	13_2_00E34F18

Contains functionality to call native functions

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,	12_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,	12_2_0000000180010AC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,	12_2_0000000180010DB0

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\rad98E2D.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253

Source: OMICS_Online_1.one	ReversingLabs: Detection: 38%
Source: OMICS_Online_1.one	Virustotal: Detection: 16%

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\OMICS_Online_1.one
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad98E2D.tmp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad98E2D.tmp.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SfTfmTSAbIwWdRVZ\mmatLGgYnezL.dll"
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad98E2D.tmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad98E2D.tmp.dll"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SfTfmTSAbIwWdRVZ\mmatLGgYnezL.dll"	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32

Jump to behavior

Source: Send to OneNote.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\Documents\{38961FCB-A541-47B3-93FA-F85A63ADB473}

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Local\Temp\{E1FDBD5F-A947-4781-AC62-AF16841F3906} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winONE@11/441@1/49

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_00D38BC8 Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,

12_2_00D38BC8

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE

Mutant created: \Sessions\1\BaseNamedObjects\OneNoteM:AppShared

Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180005C69 push rdi; ret	12_2_0000000180005C72
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800056DD push rdi; ret	12_2_00000001800056E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D480D7 push ebp; retf	12_2_00D480D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D36CDE push esi; iretd	12_2_00D36CDF
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3A0FC push ebp; iretd	12_2_00D3A0FD
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D36C9F pushad ; ret	12_2_00D36CAA
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3A1D2 push ebp; iretd	12_2_00D3A1D3
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D47987 push ebp; iretd	12_2_00D4798F
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D39D51 push ebp; retf	12_2_00D39D5A
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D48157 push ebp; retf	12_2_00D48158
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D47D4E push ebp; iretd	12_2_00D47D4F
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D47D3C push ebp; retf	12_2_00D47D3D
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D47D25 push 4D8BFFFFh; retf	12_2_00D47D2A
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D39E8B push eax; retf	12_2_00D39E8E
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D47EAF push 458BCC5Ah; retf	12_2_00D47EBC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D3A26E push ebp; ret	12_2_00D3A26F
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00D4C731 push esi; iretd	12_2_00D4C732
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E26CDE push esi; iretd	13_2_00E26CDF
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E26C9F pushad ; ret	13_2_00E26CAA
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E37D4E push ebp; iretd	13_2_00E37D4F
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E37D25 push 4D8BFFFFh; retf	13_2_00E37D2A
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E46D34 push edi; ret	13_2_00E46D36
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E37D3C push ebp; retf	13_2_00E37D3D
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E37EAF push 458BCC5Ah; retf	13_2_00E37EBC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00E3C731 push esi; iretd	13_2_00E3C732

PE file contains sections with non-standard names

Source: rad98E2D.tmp.dll.10.dr

Static PE information: section name: _RDATA

Registers a DLL

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad98E2D.tmp.dll

Drops PE files

Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\rad98E2D.tmp.dll			Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\SfTfmTSAbIwWdRVZ\mmatLGgYnezL.dll (copy)			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\System32\SfTfmTSAbIwWdRVZ\mmatLGgYnezL.dll (copy)

Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\system32\SfTfmTSAbIwWdRVZ\mmatLGgYnezL.dll:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\wscript.exe TID: 2432	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 5300	Thread sleep time: -690000s >= -30000s			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\System32\regsvr32.exe

API coverage: 9.4 %

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180008D28 FindFirstFileExW,

12_2_0000000180008D28

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: wscript.exe, 0000000A.00000002.355343827.0000000005F1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351172369.0000000005F1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353077144.0000000005F1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW4
Source: wscript.exe, 0000000A.00000002.355343827.0000000005F1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351172369.0000000005F1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353077144.0000000005F1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.355224552.0000000005EF3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.829371998.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.418840821.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 0000000D.00000003.418840821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.829371998.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_0000000180001C48

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_000000018000A878 GetProcessHeap,

12_2_000000018000A878

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,

12_2_0000000180010C10

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000000180001C48
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00000001800082EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00000001800017DC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.65.88.10 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 164.90.222.65 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 213.239.212.5 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 186.194.240.217 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 104.168.155.143 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 119.59.103.152 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.89.202.34 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 160.16.142.56 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.121.146.47 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.207.28.33 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 103.43.75.120 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 45.235.8.30 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 72.15.201.15 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 163.44.196.120 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 206.189.28.199 8080	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 203.26.41.131 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 107.170.39.149 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 187.63.160.88 80	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 66.228.32.31 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 82.223.21.224 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 149.56.131.28 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 169.57.156.166 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 1.234.2.232 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 167.172.199.165 8080	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad98E2D.tmp.dll

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\regsvr32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_00000001800070A0 cpuid

12_2_00000001800070A0

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_0000000180001D98

Stealing of Sensitive Information

Yara detected Malicious OneNote

Source: Yara match

File source: OMICS_Online_1.one, type: SAMPLE

Yara detected Emotet

Source: Yara match	File source: 0000000D.00000002.829371998.0000000000D28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 13.2.regsvr32.exe.ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.ce0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.d00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.331944852.0000000000D00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.830903189.0000000000E21000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.332682576.0000000000D31000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.829181595.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Malicious OneNote

Source: Yara match

File source: OMICS_Online_1.one, type: SAMPLE

Domain

Country

Flag

ASN

ASN Name

Malicious

110.232.117.186

unknown

Australia

56038

RACKCORP-APRackCorpAU

true

103.132.242.26

unknown

India

45117

INPL-IN-APIshansNetworkIN

true

104.168.155.143

unknown

United States

54290

HOSTWINDSUS

true

79.137.35.198

unknown

France

16276

OVHFR

true

115.68.227.76

unknown

Korea Republic of

38700

SMILESERV-AS-KRSMILESERVKR

true

163.44.196.120

unknown

Singapore

135161

GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG

true

206.189.28.199

unknown

United States

14061

DIGITALOCEAN-ASNUS

true

203.26.41.131

penshorn.org

Australia

38719

DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU

true

107.170.39.149

unknown

United States

14061

DIGITALOCEAN-ASNUS

true

66.228.32.31

unknown

United States

63949

LINODE-APLinodeLLCUS

true

197.242.150.244

unknown

South Africa

37611

AfrihostZA

true

185.4.135.165

unknown

Greece

199246

TOPHOSTGR

true

183.111.227.137

unknown

Korea Republic of

4766

KIXS-AS-KRKoreaTelecomKR

true

45.176.232.124

unknown

Colombia

267869

CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC

true

169.57.156.166

unknown

United States

36351

SOFTLAYERUS

true

164.68.99.3

unknown

Germany

51167

CONTABODE

true

139.59.126.41

unknown

Singapore

14061

DIGITALOCEAN-ASNUS

true

167.172.253.162

unknown

United States

14061

DIGITALOCEAN-ASNUS

true

167.172.199.165

unknown

United States

14061

DIGITALOCEAN-ASNUS

true

202.129.205.3

unknown

Thailand

45328

NIPA-AS-THNIPATECHNOLOGYCOLTDTH

true

147.139.166.154

unknown

United States

45102

CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

true

153.92.5.27

unknown

Germany

47583

AS-HOSTINGERLT

true

159.65.88.10

unknown

United States

14061

DIGITALOCEAN-ASNUS

true

172.105.226.75

unknown

United States

63949

LINODE-APLinodeLLCUS

true

164.90.222.65

unknown

United States

14061

DIGITALOCEAN-ASNUS

true

213.239.212.5

unknown

Germany

24940

HETZNER-ASDE

true

5.135.159.50

unknown

France

16276

OVHFR

true

186.194.240.217

unknown

Brazil

262733

NetceteraTelecomunicacoesLtdaBR

true

119.59.103.152

unknown

Thailand

56067

METRABYTE-TH453LadplacoutJorakhaebuaTH

true

159.89.202.34

unknown

United States

14061

DIGITALOCEAN-ASNUS

true

91.121.146.47

unknown

France

16276

OVHFR

true

160.16.142.56

unknown

Japan

9370

SAKURA-BSAKURAInternetIncJP

true

201.94.166.162

unknown

Brazil

28573

CLAROSABR

true

91.207.28.33

unknown

Kyrgyzstan

39819

PROHOSTKG

true

103.75.201.2

unknown

Thailand

133496

CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH

true

103.43.75.120

unknown

Japan

20473

AS-CHOOPAUS

true

188.44.20.25

unknown

Macedonia

57374

GIV-ASMK

true

45.235.8.30

unknown

Brazil

267405

WIKINETTELECOMUNICACOESBR

true

153.126.146.25

unknown

Japan

7684

SAKURA-ASAKURAInternetIncJP

true

72.15.201.15

unknown

United States

13649

ASN-VINSUS

true

187.63.160.88

unknown

Brazil

28169

BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR

true

82.223.21.224

unknown

Spain

8560

ONEANDONE-ASBrauerstrasse48DE

true

173.212.193.249

unknown

Germany

51167

CONTABODE

true

95.217.221.146

unknown

Germany

24940

HETZNER-ASDE

true

149.56.131.28

unknown

Canada

16276

OVHFR

true

182.162.143.56

unknown

Korea Republic of

3786

LGDACOMLGDACOMCorporationKR

true

1.234.2.232

unknown

Korea Republic of

9318

SKB-ASSKBroadbandCoLtdKR

true

129.232.188.93

unknown

South Africa

37153

xneeloZA

true

94.23.45.86

unknown

France

16276

OVHFR

true

Name

Active

penshorn.org

203.26.41.131

true

Name

Malicious

Antivirus Detection

Reputation

https://penshorn.org/admin/Ses8712iGR8du/

true

Avira URL Cloud: malware

unknown

https://182.162.143.56/jhiryhxgp/kxgycfcaqegfa/

true

Avira URL Cloud: malware

unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	E71C8443AE0BC2E282C73FAEAD0A6DD3	0C110C1B01E68EDFACAEAE64781A37B1995FA94B	95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	7EC27A161F3D5A8AA2A33F27634891BB	8142A2DED883933664E5A9FE2CCF7014EA71A9E2	001E72BE36E53C9BBDBE27BEBB8B4B66DF02A0A85BF95ADA01EDFDC00C8A978E
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\98BB5134-EE3F-4D7D-9136-7342A66C9981	XML 1.0 document, ASCII text, with CRLF line terminators	7C6683A5448AC2C03AF2E56502A0376B	BB1FBE2413EB1FC145E20B6C56866818372316BF	9EE148A7B15BBBE16D7C6E332A5EEFF259AB2229488433AFBDBDA7A70573ABD2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\My Notebook\~Quick Notes.one.onebackupconstruction	data	92184B2ED0DD46A6155CC09CC3DB3061	FA3E25E3B2D48FBB0B643A677836A2403CF5011A	F428577F45E17332225CD88ADA59A822CDE651DA08F4439F57E8DC9A098335BF
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin (copy)	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin (copy)	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin (copy)	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin (copy)	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin (copy)	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000A.bin (copy)	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000B.bin (copy)	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin (copy)	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin (copy)	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000E.bin (copy)	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin (copy)	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin (copy)	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin (copy)	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin (copy)	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin (copy)	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000K.bin (copy)	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin (copy)	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin (copy)	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin (copy)	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin (copy)	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin (copy)	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000U.bin (copy)	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin (copy)	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin (copy)	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin (copy)	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin (copy)	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin (copy)	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin (copy)	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin (copy)	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin (copy)	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000019.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001C.bin (copy)	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001D.bin (copy)	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001E.bin (copy)	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001F.bin (copy)	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001G.bin (copy)	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001H.bin (copy)	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001I.bin (copy)	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001J.bin (copy)	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001K.bin (copy)	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001L.bin (copy)	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001M.bin (copy)	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001N.bin (copy)	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001O.bin (copy)	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001P.bin (copy)	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001Q.bin (copy)	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001R.bin (copy)	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001T.bin (copy)	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001U.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001V.bin (copy)	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000020.bin (copy)	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000021.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000022.bin (copy)	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000023.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000024.bin (copy)	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000025.bin (copy)	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000026.bin (copy)	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000027.bin (copy)	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000028.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000029.bin (copy)	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002A.bin (copy)	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002B.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002C.bin (copy)	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002D.bin (copy)	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002E.bin (copy)	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002F.bin (copy)	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002G.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002H.bin (copy)	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002I.bin (copy)	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002J.bin (copy)	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002K.bin (copy)	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002L.bin (copy)	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002M.bin (copy)	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002N.bin (copy)	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002O.bin (copy)	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002P.bin (copy)	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002Q.bin (copy)	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002R.bin (copy)	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002S.bin (copy)	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002T.bin (copy)	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002U.bin (copy)	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002V.bin (copy)	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000030.bin (copy)	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000031.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000032.bin (copy)	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000033.bin (copy)	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000034.bin (copy)	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000035.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000036.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000037.bin (copy)	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000038.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000039.bin (copy)	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003A.bin (copy)	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003B.bin (copy)	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003C.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003D.bin (copy)	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003E.bin (copy)	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003F.bin (copy)	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003G.bin (copy)	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003H.bin (copy)	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003I.bin (copy)	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003J.bin (copy)	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003K.bin (copy)	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003Q.bin (copy)	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003R.bin (copy)	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003S.bin (copy)	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003T.bin (copy)	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003U.bin (copy)	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003V.bin (copy)	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header	Matlab v4 mat-file (little endian) \270\003, numeric, rows 262223750, columns 0	D82E121A7EE4A0DF4A6177889CF24BD7	B808F6C71A8E5DA9058AD70B6A0E993763241C49	6B8F1672C56A7304A3B3F852B49EE58D79CA1244B6247F8B695230426E715E18
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000005.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000006.bin	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000007.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000008.bin	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000009.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000A.bin	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000B.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000C.bin	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000D.bin	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000E.bin	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000F.bin	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000G.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000H.bin	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000I.bin	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000J.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000K.bin	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000M.bin	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000N.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000O.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000P.bin	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000Q.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000R.bin	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000S.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000T.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000U.bin	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000V.bin	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000010.bin	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000011.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000012.bin	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000013.bin	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000014.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000015.bin	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000016.bin	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000017.bin	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000018.bin	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000019.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001C.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001D.bin	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001E.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001F.bin	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001G.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001H.bin	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001I.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001J.bin	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001K.bin	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001L.bin	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001M.bin	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001N.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001O.bin	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001P.bin	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001Q.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001R.bin	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001T.bin	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001U.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001V.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000020.bin	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000021.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000022.bin	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000023.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000024.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000025.bin	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000026.bin	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000027.bin	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000028.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000029.bin	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002A.bin	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002B.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002C.bin	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002D.bin	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002E.bin	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002F.bin	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002G.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002H.bin	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002I.bin	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002J.bin	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002K.bin	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002L.bin	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002M.bin	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002N.bin	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002O.bin	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002P.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002Q.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002R.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002S.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002T.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002U.bin	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002V.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000030.bin	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000031.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000032.bin	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000033.bin	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000034.bin	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000035.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000036.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000037.bin	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000038.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000039.bin	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003A.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003B.bin	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003C.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003D.bin	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003E.bin	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003F.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003G.bin	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003H.bin	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003I.bin	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003J.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003K.bin	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003Q.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003R.bin	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003S.bin	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003T.bin	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003U.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003V.bin	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000040.bin	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000041.bin	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000042.bin	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000043.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000044.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000045.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000046.bin	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000047.bin	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000048.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000049.bin	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004B.bin	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004C.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004D.bin	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004E.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004F.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004G.bin	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004H.bin	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004I.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004J.bin	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004K.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004L.bin	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004M.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004N.bin	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004O.bin	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004P.bin	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004Q.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004R.bin	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004S.bin	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004T.bin	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004U.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000051.bin	HTML document, ASCII text, with very long lines (792), with CRLF line terminators	AE25F2104967B2708AC9DBA80AAC52FD	7AC0150B43CBB5EEBA9A0F956E1291DF6790F3BF	11B3D1564B12934489281250C9A683F076FE10254BFDD7DA72307E538838EC56
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000052.bin	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	D055CE625528E448C61315EAAEF5BB71	029DF4C872B1C154F32E7FE94F434547C3BA6192	85BF1E672B4E86E9AF0C7874681EC9620DFDC78E0335B83EEF38C17D813B6705
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000053.bin	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1248x1624, components 3	B7FC313714EDD7866F4C76527282C2B5	C86217B46956933FAE4A30483A63B33F34B8C503	B6D25F5EB52D5C24EF6C325BD25F18E413F3E23D20413A3693749275BA4B192C
C:\Users\user\AppData\Local\Temp\OneNote Archive\Getting Started.one	data	A06A66FE13E804B40ACC111AAF7CFE84	0A4DDE73BD033130B237CEB13E14DA5A4403BB1B	FFBB5156E5635D67E2958D11D9554B1B6469D2BF0A2759BA5272E8D854C065D7
C:\Users\user\AppData\Local\Temp\OneNote Archive\Open Notebook.onetoc2	data	34E28456D010560ED3B0C6EF80AB3EA6	8B346A2F70113FA69E807B70C9854457D999A9D9	4CA0C4DA9207253D32B4A40AE3E5A5EAC3F385B0D6282EBE6F8D1706AFDF4A9D
C:\Users\user\AppData\Local\Temp\OneNote15WatsonLog.etl	data	244B5994C71004156767E710CB2A2760	C55002E926626C9834B7A17E60FAF010620913DA	6ACC4012646320F6E67442282713D40DD854029A55AB2E71D3575C74BDF504EE
C:\Users\user\AppData\Local\Temp\click.wsf	ASCII text, with no line terminators	07F5A0CFFD9B2616EA44FB90CCC04480	641B12C5FFA1A31BC367390E34D441A9CE1958EE	A0430A038E7D879375C9CA5BF94CB440A3B9A002712118A7BCCC1FF82F1EA896
C:\Users\user\AppData\Local\Temp\rad98E2D.tmp.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BFC060937DC90B273ECCB6825145F298	C156C00C7E918F0CB7363614FB1F177C90D8108A	2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
C:\Users\user\AppData\Local\Temp\{087BB80E-4A60-4CA7-8EB8-FFD8F6032126}.bin	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Temp\{09B563E1-5886-4134-BE6D-005134231B33}.bin	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Temp\{0B465451-2BB6-45A8-B06D-04A0E1D34CCB}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Temp\{0B6ABD5B-0D2A-4CBB-807C-6123F7EE0658}	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Temp\{0D7252ED-129E-43E7-AC47-C1991C59BE36}	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Temp\{0DF5586B-42E6-4B46-B039-5616D574FACF}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Temp\{0EE75117-3F18-4789-8C74-559CE13AFFCF}.bin	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Temp\{110CB988-FAEE-4533-A847-870819B6E507}	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Temp\{15416D4F-55E4-47F1-B74A-C29244D37DDB}	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Temp\{170D3936-A370-4877-B925-9C4A9FBBCC8B}.bin	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Temp\{187AD594-C462-450B-AA56-FE9056ABBD51}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Temp\{18DCE961-F175-492C-810E-4922DE350227}	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Temp\{194DDE5F-148B-4556-A5E6-93453D9A1B3C}	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Temp\{1AEE1CB7-3BC0-46E5-89E4-1D035B880D36}	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Temp\{1CF1D06F-6555-4E49-940A-72540D4313CB}.bin	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Temp\{1D10F841-0C12-48AE-AF31-01E4B9DB70FA}.bin	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	D055CE625528E448C61315EAAEF5BB71	029DF4C872B1C154F32E7FE94F434547C3BA6192	85BF1E672B4E86E9AF0C7874681EC9620DFDC78E0335B83EEF38C17D813B6705
C:\Users\user\AppData\Local\Temp\{1D1EC3CC-5B11-44CD-99F7-1423BA98139A}.bin	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Temp\{1FFE9176-4082-4DC9-9ED0-AB1B8C0EFC27}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Temp\{205F3869-9E23-4E49-AFB7-BCE74BD1A05F}.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Temp\{20BFE9C7-A27A-44AE-8753-728217515780}	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Temp\{23351ECD-F4A9-4492-A1A5-119DCEC3CC09}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Temp\{262A546D-4BCA-45BF-BCFF-D28C7A7D0A89}.bin	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Temp\{29142AE8-7A36-4D2F-86BB-46E4ADC5BCBC}.bin	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Temp\{2B8CA849-31A0-4B42-928E-384D770231A8}	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Temp\{2BEA0A8C-45BC-44E1-AF85-8169B973D40F}	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Temp\{2BEEF51C-BA32-4A7B-8370-B7455A7B4469}	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Temp\{2D590C6D-94B1-4B40-8B58-0F307D8C756D}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Temp\{2F1A35A6-F69A-419E-B900-F6228CC659CD}	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Temp\{30C7D631-B99D-422F-AD88-3BFA7C53E63A}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Temp\{38FF9114-52BD-48E3-AAC3-079054E76C84}	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Temp\{39314444-329C-473D-B5AF-DBA540D3DE7E}	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Temp\{395C8F88-8EC0-443E-A910-5A01BC394301}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{39E02469-AB06-454A-B32B-C086E2B932E8}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{3B07841D-9B52-4426-935B-A005955EAF80}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{40013B9B-24CC-426E-A797-0B1074D4FCD2}	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Temp\{41E6B290-B410-460E-A778-724158C27D19}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{438F4B56-77DD-418F-9A8D-FCD72C4090B6}.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Temp\{43AB930A-D72A-440F-9DD8-7D465495E2BF}.bin	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Temp\{43D36621-DB9D-45CF-A6E0-4E098E9B2C44}.bin	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Temp\{44264FEF-6E38-441C-A5B3-504EC6251560}.bin	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Temp\{463120E5-BA0B-4A2A-9574-3DB1B653C245}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Temp\{46F10CD1-C339-4315-A5D5-3AE85E59E36D}	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Temp\{470B549F-FE2F-4F1F-8BBF-9A2663E77CD2}.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Temp\{478F2DF7-272F-4B2D-960C-1B4A2F624765}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{490E4015-6604-4927-8349-4E3A9D2626FC}	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Temp\{4BA87C44-FDB7-47DB-86E5-58D144412B6F}.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Temp\{4BFD3A49-ECA3-4B89-B004-BE88BF7839F1}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Temp\{4E26D276-45F3-4E99-ACD4-9B38F461CD44}	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Temp\{4E9B4BB5-91B8-4616-8426-B5365B1209EA}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Temp\{541A7ED4-AE2E-453E-82AB-9B230EA93C82}	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Temp\{57B43875-FEE5-4E80-AF83-BBE7F9345CBC}.bin	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Temp\{57F1E22E-684A-45D4-A072-8F246F98B252}.bin	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Temp\{5C97B5B9-F9BB-4B3F-9DAA-79E16435E7CD}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Temp\{5D965788-2019-4020-9B20-4D633C01C90B}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Temp\{5F2EACFC-2E40-4831-9968-641091E1B2E1}.bin	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Temp\{5F580667-4C25-4D41-BDD3-0EEC8888653A}.bin	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Temp\{60836CCA-3C48-48B9-849F-154AE127D016}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{60B2F48D-185A-450B-9C5A-71771C66B042}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{61D4D3C1-03D8-49E9-B9CE-2423D5150C91}	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Temp\{62EE77C4-6509-4D47-8A45-4C5F792F3F84}	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Temp\{6594AB77-B192-495C-8073-B84292E14DF2}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{65AF9B4B-969D-4A47-B5E8-8BF7B1586CB2}.bin	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Temp\{6613E2FF-7F59-4245-AAA5-10150DA871FA}.bin	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Temp\{68C0BC43-A514-4E98-8895-B5B52AA645C3}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Temp\{68DAF1A9-351B-46C2-8407-20CA74616341}	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Temp\{6AEF5B60-212D-477D-9DB6-86C4F3AD42F7}	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Temp\{6C86ED4A-D117-4E15-9FCC-7C3DA8DB6169}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{724D8752-8237-4C7D-A0A4-82A98EECB104}	HTML document, ASCII text, with very long lines (792), with CRLF line terminators	AE25F2104967B2708AC9DBA80AAC52FD	7AC0150B43CBB5EEBA9A0F956E1291DF6790F3BF	11B3D1564B12934489281250C9A683F076FE10254BFDD7DA72307E538838EC56
C:\Users\user\AppData\Local\Temp\{737A2717-1CB0-4AB7-A4B0-3252E7D66DC4}.bin	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Temp\{737A7A97-40FD-491F-813A-89D8603166FD}.bin	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Temp\{74694969-70A3-4AF2-8946-DADEA8029FBF}	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Temp\{763F82DF-95B8-449C-9C4D-A22D912E2E43}.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Temp\{7798FDE3-781D-4736-9962-93889709EB34}.bin	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Temp\{77D16013-6D93-4353-8C2A-3BB203729892}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{7952A161-C949-4A51-B719-0C7121B7E38D}.bin	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Temp\{7AEEF3E7-6D8D-49F6-BE26-DD3B00B8D793}.bin	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Temp\{7C012B09-9885-4057-BC18-4267904B9BE3}	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Temp\{7D60EA15-8A79-44AB-BD12-C908283053A9}.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Temp\{7D94A02B-4AAA-4AE7-8D2C-CA3E8028483D}.bin	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Temp\{7DC0B9A6-F4E1-4954-AC3F-0BE134030C22}.bin	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Temp\{7EFA28A2-38D4-40C7-8E1C-56F7E90F21D0}.bin	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Temp\{82597B60-7456-4FE9-BCFB-309657677C05}.bin	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Temp\{82C53B3F-9126-4751-8F11-8923854578BB}	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Temp\{8452B5B8-B6A9-4E28-A82D-285366FA9A4E}	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Temp\{8500047F-637D-4273-915B-096399938460}.bin	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Temp\{864ED83F-0D8B-45AE-909C-2E32C957957D}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{890E4F83-E3C5-418F-92C6-07F42906C307}.bin	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Temp\{8A875D2C-392E-4F90-BD15-659F1F816C90}.bin	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Temp\{8B271F51-BEDF-4C27-AB7D-6B90B2D7A9CC}	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Temp\{8C79B37A-AAC3-485E-9C6C-6DC992E45F23}	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Temp\{8C9A4942-C048-4A3B-BA49-9938209C1008}	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Temp\{8FF7BE25-2955-4F8A-A543-BC4C3554EEE5}.bin	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Temp\{96DE75FB-6DA0-41AF-8948-F95B246F8FF8}.bin	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Temp\{97265796-DB70-44BF-A4CF-E51FADCB3576}.bin	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Temp\{97E045AF-68DF-4448-BF16-53E535D7434F}.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Temp\{9AC04F15-41DE-43CD-8F75-A20D818364CF}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{9B6F60C8-CCB2-42CF-A237-EE90FA549A6B}.bin	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Temp\{9B709087-38C4-4CEA-87B4-B7708F801DBC}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Temp\{9D8A46AE-A71D-4B42-9850-3F96E7A3CADA}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Temp\{9E8A0E7B-AC70-4D8C-9AA7-EC943E6E2D49}	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Temp\{9FC8B11D-DCA5-499F-B736-74B0066FAC4A}	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	D055CE625528E448C61315EAAEF5BB71	029DF4C872B1C154F32E7FE94F434547C3BA6192	85BF1E672B4E86E9AF0C7874681EC9620DFDC78E0335B83EEF38C17D813B6705
C:\Users\user\AppData\Local\Temp\{A1B485DA-3E81-4433-850C-7F675CBBDFB5}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Temp\{A2321249-C1B4-4FDD-945F-59FDC8052D86}.bin	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Temp\{A78407BD-05EA-4951-A085-3F8BD223C872}.bin	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Temp\{A78F5614-42E0-4FF2-BF37-5181202AB38A}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Temp\{AA8761EB-2580-4474-ADC7-606E12B071AF}.bin	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Temp\{AAD458FA-D842-4910-A843-289E477D556A}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{AD8AAF45-EB3A-47D8-8ABA-07417AFA4043}.bin	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Temp\{ADD68BE8-F2C1-4C26-8BAD-14D4A3A9350F}.bin	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Temp\{AE239147-B866-412C-A5CA-011ED7D5668E}.bin	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Temp\{B0BC54AB-82E2-470D-8B51-9963264CE8A2}	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Temp\{B29902BE-C88F-4358-BB4F-C4F060761919}.bin	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Temp\{B36A2CB8-BE3A-45D4-8029-0EA23BC80E55}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Temp\{B82948E2-A564-4755-8F7B-26C55DB9D9CA}.bin	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Temp\{B82F63F9-D95A-4F8E-A5BF-65E7051D5D4A}.bin	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Temp\{BCCD46D6-DD7F-4218-B3D2-A8B72FBE70B7}	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Temp\{BED9D076-8069-4A8A-A895-745D434940F5}	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Temp\{C2BCDD4F-FDAB-403A-9A71-D816D32DC95E}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Temp\{C519701A-3673-46AE-8F1B-3AE4D439E6A9}	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Temp\{C5983C6A-8044-4CC1-929A-379C0F962E56}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Temp\{C70884BB-CA2E-4259-82C6-3A13BBB33F22}.bin	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Temp\{C78434AB-B52B-470F-A2B2-B824497D81DA}.bin	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Temp\{C8A97DEB-5EEA-444D-B326-D9C0BF8F0710}.bin	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Temp\{C94D0E32-31C1-4794-8E96-B8628F950BB1}.bin	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1248x1624, components 3	B7FC313714EDD7866F4C76527282C2B5	C86217B46956933FAE4A30483A63B33F34B8C503	B6D25F5EB52D5C24EF6C325BD25F18E413F3E23D20413A3693749275BA4B192C
C:\Users\user\AppData\Local\Temp\{C9D82860-A1D5-4AF0-AE14-55636834E6D1}.bin	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Temp\{CC23A91B-9214-4AED-BE7E-EFA203A167C7}.bin	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Temp\{CD010A5B-88FC-47D2-BB64-BC3A840A7A1F}.bin	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Temp\{CD68767A-9570-4001-94EF-90FC99A53EE4}	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Temp\{D47199B7-8A16-4527-BC04-379832E37862}	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Temp\{D4841ECD-099A-46AF-B81E-1F7F1BB567A1}	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Temp\{D9226F53-6274-48EE-A93A-88346AAD1D9D}	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Temp\{DA53E013-8757-4F76-A3A5-C6BEF871EF85}	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Temp\{DA6DF75D-530F-47B6-A6DB-F5ACBB85989C}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{DEFD9E10-8644-4B09-890B-AE6F89FA28C0}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Temp\{DF4717ED-0F88-4E3A-A265-CD4961154B74}	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Temp\{E08556C8-0E97-479B-935D-BD8DFE834879}	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Temp\{E105D5DA-B299-4D0F-8454-0498A92FD68F}	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Temp\{E174E841-FA6C-4D52-AA12-54648943C223}	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Temp\{E1AD46C2-B36F-466F-A72A-11B1F4936AF3}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Temp\{E1E9CB45-2D40-4F43-99D2-B416D96451AA}	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1248x1624, components 3	B7FC313714EDD7866F4C76527282C2B5	C86217B46956933FAE4A30483A63B33F34B8C503	B6D25F5EB52D5C24EF6C325BD25F18E413F3E23D20413A3693749275BA4B192C
C:\Users\user\AppData\Local\Temp\{E20512C6-5C03-4535-B766-214A99C0D593}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{E3C44301-02FB-4DA1-BA2E-3956E3BBE50F}.bin	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Temp\{E3C9EE24-8D46-46E1-9826-80818E089F0A}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{E3E057BA-9E51-454A-9201-7F9A195AAB11}.bin	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Temp\{E3E721F6-0C11-4F9B-BF19-E8778D636594}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Temp\{E5629889-B0AF-4561-B5A8-83480CD2FA16}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{E6DAC692-C911-43EE-B4E5-25E8ECF8F948}	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Temp\{EBC99726-D523-42F4-B55A-BB615275D0D2}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{EFCA2D6A-A81D-4554-A47A-5AA0AF90DA04}.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Temp\{EFCA8578-7539-4066-A045-B9AE73719984}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{F219899A-D493-4027-9C4E-83D414774B89}	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Temp\{F24B446B-089C-4889-B152-4A17DA363CF1}	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Temp\{F4815B3C-7B8E-41F3-9D83-EAFA1216CB4D}.bin	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Temp\{F4E42E97-63DE-4CEB-8D29-C86A84EAEE75}	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Temp\{F4F7E142-7C00-4776-895B-4917844A45C3}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Temp\{F76E446E-4068-4585-BB16-51DCE91AB0CD}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{F88A9238-8BC9-4DB3-9FC7-092CC11E7CCC}	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Temp\{FA55145F-4E42-40E8-B2CF-E568D8072C61}	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Temp\{FB754FA8-D891-4CA0-952A-E24FF9DC4D72}.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Temp\{FC94484A-AF48-4CB0-A960-8EFFA0C3A364}.bin	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Temp\{FE5C7C73-29D7-4070-AD33-7DD07E40168A}	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Temp\{FE5EB6E5-C83D-4BAB-BD49-52C1BCCD4298}.bin	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Temp\{FE988EA5-8F9A-4DB9-8388-089C8E35662A}.bin	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Temp\{FEED9116-1C11-4CEF-8881-B7F3577B9D9B}	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Temp\{FF11F4A9-E3CD-44AE-9763-8ECB41F0B06B}.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36a44befa49650d0.customDestinations-ms (copy)	data	61A44E542445F69AAC5F087FE78D48B7	8532E518F0A762A38FFD25C03BB363B252629898	0BB65D5B475107FDA257EE40F1A06E9BCAF78F0FE15D5B1BE028CA5495CE073C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K4EJP3ZTY1H921IKPW91.temp	data	61A44E542445F69AAC5F087FE78D48B7	8532E518F0A762A38FFD25C03BB363B252629898	0BB65D5B475107FDA257EE40F1A06E9BCAF78F0FE15D5B1BE028CA5495CE073C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, ctime=Tue Jun 30 15:57:16 2015, mtime=Fri Mar 17 15:06:31 2023, atime=Tue Jun 30 15:57:16 2015, length=157872, window=hide	9EF4F5D75D3098CE858C7979C0538B1A	C7C225AC765270B99610250D27A554693045A28A	D55E6DEEA70A22FB1BC8D793FCE027FDA599DAC6C83BADF3705275D59B21D7D1
C:\Windows\System32\SfTfmTSAbIwWdRVZ\mmatLGgYnezL.dll (copy)	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	BFC060937DC90B273ECCB6825145F298	C156C00C7E918F0CB7363614FB1F177C90D8108A	2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253

ID:	828485
Product:	CloudBasic
Start time:	09:04:54
Start date:	17.03.2023
Sample:	OMICS_Online_1.one
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	238f7e8cd973a386b61348ab2629a912
SHA1:	f87f164125c9506a16ca21cb03104f6a04321592
SHA256:	1c3a7f886a544fc56e91b7232402a1d86282165e2699b7bf36e2b1781cb2adc2
Filetype:	Microsoft OneNote note (16024/2) 100.00%

Windows Analysis Report
OMICS_Online_1.one

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report OMICS_Online_1.one

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
OMICS_Online_1.one